Support

This is a false positive.

The administrator/components/com_akeeba/backup folder on your site is the default backup output directory. This is where Akeeba Backup's backup archives are created. This is also where temporary files are created. When taking a backup, one of the steps is the database backup. Akeeba Backup writes the database dump into a temporary .sql file. When that file is big enough (according to your Configuration options, default is around 256KB) it is added to the backup archive and removed from your site.

It looks like your host is idiotically scanning your site for files with a .sql extension. If these files exist and have SQL (database) commands — in other words, their EXPECTED FILE CONTENTS, it sends you an email that these non-executable text files are a "virus" (executable code) or malicious. In other words, your host is run by amateurs who can't tell a non-executable SQL file from an executable virus/malware file. To put things in perspective, Joomla itself and all of its extensions include .sql files for the database installation and update. It's perfectly safe since .sql files CAN NOT execute by themselves. They'd require, you guessed it, executable PHP code to load them and execute them against your site's database. Saying that a .sql file is a virus or malicious file is like claiming that your car's clutch is a weapon used by terrorists just because a terrorist could use it to drive a car into a crowd. In short, it's beyond absurd. I'd say it's utterly moronic, if I wanted to be charitable.

My professional recommendation is to IMMEDIATELY look for a new host, preferably one ran by people who actually know what they are doing.

You're welcome :)

Some background info for people who might stumble into this public ticket. We write our own file scanner but we at least try really hard to not misrepresent the significance of its results. Scanning source code is very much like scanning poetry and trying to derive its meaning. Computers really suck at it — at least right now.

When we see a host that communicates a scanner's results as something definitive we do get upset. It's not because we'll spend an extra five minutes to explain why the file is not malicious. The main problem is that a host doing that results in eroding the trust in any kind of security scanner and security solution. Users start ignoring solid security advice which results in them getting hacked. This undermines the trust in the CMS. Many users will end up using a managed solution like Wix or Squarespace. This is a net loss, first and foremost for the hosting company.

Further to that, we have seen a very strong correlation between bad hosting and hosts which communicate file scanner results as something definitive. Instead of tightening security where it matters (analysing traffic patterns, defence against known attacks, monitoring email traffic to avoid spam etc) they go for the "cop out" solution of blindly trusting a file scanner which would report anything and everything useful as potentially dangerous. Instead of analysing its results to gain insight, block actually harmful scripts and whitelist innocuous files they choose to communicate everything as a definitive issue to their clients, essentially shifting the responsibility of maintaining a safe hosting environment from the hosting company to its users. This is just plain dumb and will most definitely backfire.

You'd think that both points would be fairly obvious to someone who's providing hosting services for a living. And yet, some of them just don't get it. They are happy cutting corners in the name of increasing their short term bottom line profit. Sigh...