The Malware Warning Review Process

Friday, October 9, 2009 10:38 AM



As part of Cyber Security Awareness Month, Google's Anti-Malware Team is publishing a series of educational blog posts inspired by questions we've received from users. October is a great time to brush up on cyber security tips and ensure you're taking the necessary steps to protect your computer, website, and personal information. For general cyber security tips, check out our online security educational series or visit http://www.staysafeonline.org/. To learn more about malware detection and site cleanup, visit the Webmaster Tools Help Center and Forum.

Google's anti-malware efforts are designed to be helpful to both webmasters and website visitors. Google continuously scans our web index for pages that could be dangerous to site visitors. When we find such pages, we flag them as harmful in our search results, and also provide this data to several browsers so that users of these browsers will receive warnings directly. We undertake this process as part of our security philosophy: we believe that if we all work together to identify threats and stamp them out, we can make the web a safer place for everyone. While we believe these processes are important steps in helping to protect our users, we also understand the frustration felt by the webmasters of flagged sites. This is why we notify webmasters as soon as we discover that their sites have been compromised. Additionally, we provide webmasters with a tool to file a review once they have cleaned their site. The review process works as follows.

Part 1: The webmaster's job: The first step is site cleanup. The webmaster should remove all harmful content from the site. We realize that it can be tricky to find all the infections on a website, and webmasters should look thoroughly if the warning label persists. Keep in mind that if your site contains elements from another website that may have been compromised, it will remain flagged. This is because your site could still introduce harm to visitors. To prevent reinfection, the webmaster should also identify and fix the underlying software vulnerability that led to site compromise in the first place. For a guide on how to do this, visit stopbadware.org/home/security.

Once a webmaster has cleaned up the site, a Malware Review can be filed with Google's Webmaster Tools (please note that a Malware Review request is not the same as an Index Reinclusion request). The process for Malware Review is as follows:
  1. Log in to Webmaster Tools.
  2. From the Tool's home page click on the link to the site that is being flagged. This will bring you to the site's Dashboard.
  3. There should be a large red banner across the top of the dashboard that says "This site may be distributing malware." Clicking on the link that says "More Details" expands the dashboard to reveal a list of pages on the site that were found to be malicious.
  4. Below this list is a link that says "Request a review." A webmaster can fill out this form and click the "Request a review" button to initiate the review process.
More detailed instructions can be found here.


Part 2: Our job: Upon receiving a Malware Review request, an automated set of algorithms verifies that the site has been cleaned. These algorithms revisit a subset of both the malicious and non-malicious pages that were scanned when the site was originally flagged. Additionally, these algorithms test some pages that were not originally scanned. If none of the tested pages are found to be malicious, the site is deemed to be safe, and warnings are removed from search results. A typical appeal takes only several hours to complete, although in some cases the process may take up to one day.

In addition to processing appeal requests from webmasters, we also rescan compromised sites periodically.

We encourage webmasters of infected sites to quickly clean their web pages and proactively request reviews through Webmaster Tools. After the site has been thoroughly cleaned and reviewed, it will no longer show a warning on Google's search results pages or through the browsers making use of our data.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

7 comments:

Blair Anderson said...

Malware removal processes by Google are fataly flawed. Blogger (***.blogspot.com) arbitarily removes a blog from syberspace, without any notification and then leaves no route to resolution by the blog owner. How can they correct ANY flaw if it has been removed completely. (forget any laiblity on Google for quality of service!)
This occured in my case, to http://mildgreens.blogspot.com
Google has been unable to anser ANY correspondence as to why, how or procedures for recovery. And these same people expect us to trust them with our cloudspace, our digital access, even our phones!

william said...

This is damaging my business and my family! I have two files, a simpole html file and an swf file. My business is a simple 3d rendering company, and I am a sole-proprietor. Now that this "REPORTED SITE ATTACK" comes on, I am sure I am loosing business and my family can feel the impact. There never has been any malware / spyware / whatever on my site. You would think that Google, with all its power and cash would not make a mistake that would cause such devastation to a guy like me, who is just trying to make a living for himself and his family.

kaleh said...

As a volunteer, who spends a lot of time in the Malware and Hacked sites section of the Google Webmaster Help Forum, I would like to clarify something here.

For the benefit of other readers, I would like to point out that the problem that Blair Anderson had with his blog was not a problem with the normal malware warning removal process.

When a non-blogspot site is flagged for malware, the owner/administrator still has access to their site in order to resolve the problem and "Request a Review." This process works as it should (even though some people struggle with detecting the malware issue and following through with requesting a review.) I think that most people are successfully helped with this process when they ask for assistance in the Webmaster Help Forum.

However, in the case of a number of bloggers flagged for malware because of popular widgets that began directing users to malicious sites, many blogs were not only flagged for malware, but were also disabled by Blogger.

Most sites flagged for malware today, are not because they are intentionally hosting or distributing malware, but because their sites have been hacked, or because of other elements on their sites that call content from remote sites, that have become malicious.

However, the sites are not made inaccessible to the site owner/administrator and they are able to fix them, request a review, and be back to normal within 24 hours (or so) of requesting a malware review.

Owners of blogspot blogs did not have the luxury of "fixing" their blogs because of actions that Blogger took to disable the blogs. Blogger provided a form to submit review requests to Blogger. Many were restored early in this process, however, others still seem to be languishing. I don't know why the discrepancy, but do hope that Blogger gets that issue resolved for the remaining disabled blogs, as well as future incidents.

kaleh said...

@william

Frequently, owners of flagged sites are not able to determine what caused their sites to be flagged, without assistance. It is common for them to assume that Google has made a mistake, when no such mistake was made.

Over and over again, people post in the Google Webmaster Help forum, starting their post with claims of Google mistakenly flagging their sites, and demanding an immediate resolution. They are indignant that their site has been flagged and are simply unaware of the many ways that the bad guys can use the owner's site to drive traffic to malicious content.

Sometimes, within minutes of posting in the Webmaster Help Forum, a volunteer has pointed out at least one issue with the site that is causing it to be flagged. At that point, the site owner becomes aware that Google has not made a mistake, and can channel their energy toward learning as much as possible about what happened and what to do about it.

I do hope that you found your way to the Webmaster Help Forum and not only got your issue resolved, but also came away with a greater understanding about issues related to malware and hacked sites.

Gordon said...

I did requested a "malware" review for my site after cleaning it, but there is no response after more than a day. Your FAQ describes the review as automated. If it is, why do I see no response?

Blair Anderson said...

Kaleh does this blogger a disservice in suggesting my complaint was not a problem with the normal malware warning removal process. IT WAS EXACTLY THAT. They admitted it to the New Zealand media. They never said sorry it took months to sort out. They never identified what was the broken link... they certainly blamed 'bloglinker' but not for ANY of the links that I had (and none that I had linked too were hacked either). They made that bit up. Of that I am quite sure. It did take a persoanl representation to Google's Santa Monica offices which saw it restored within the hour. (pretty appaling since I had to fly from New Zealand to do so.... )
My greatest beef was that Google took so long, ignored all requests to discuss, and never spoke with me directly. They did speak to media... about me and my blog. I was left believing my blog (of over 1000 entries) had been completly wiped. Kaleh should re read my comments eleswhere on the blogger support forums. I was disgusted with Googles business model as much as I was disturbed they could arbitarily remove without as much as a 'here is why'.
It was NEVER about malware. I have a website with exactly the same code from BlogLinker, with the same links. It works pefectly. They are all credible links, many of which are directly referenced in my blog entries, none of which Google's malware engines detected as 'anything' of note. I guess Googgle is not too big to stuff things up... even I accept that. But the evidence is in, they continued to do it badly, and showed no contrition. So, what have they learned? If the answer is bugger all... then that is instructive to those who use and or depend on Google deliverying a QoS.

Riham Succar said...

hi Google
I was playing a game which have 4 pics and letters to find out word common between the pics
all I did on google was I wrote the letters and asked about what do they give words
and I got some kind of block
it's unfair
thank you
Riham