Home » Practical Guide to dealing with Google's Malware Warnings

If you are new to this site you might want to check your web pages for suspicious content

Practical Guide to Dealing With Google's Malware Warnings

For webmasters and site owners

To protect web surfers, Google is continually working to identify and blacklist dangerous pages. Many popular applications (Google Search, Google Chrome, Firefox, Safari, etc.) use Google's malware database to warn their users to keep away from potentially harmful sites.

Majority of blacklistes sites are compromised legitimate websites where hackers placed malicious content. Their owners are having hard time both cleaning up their sites and removing malware warnings that badly affect their sites' traffic and reputation.

This guide will provide you with practical information about how to remove your site from Google's malware database and how to avoid common mistakes that can leave cleaned up sites blacklisted for a long time.

You can use this form to check if your site is currently listed as suspicious

If your site is blacklisted and you want to resolve this issue, you should:

Correctly interpret Google's Safe Browsing advisory and find out the reason why your site has been blacklisted
Clean up (and secure) your site
Request a malware review via Google's Webmaster Tools

1. Interpreting Diagnostic Pages

To find out what's wrong with the site, consult a Google's Safe Browsing diagnositic page (use the form above)

You may find the diagnostic page difficult to understand. The following instruction will help you extract the most important information.

What? First of all, you should determine what exactly is blacklisted by Google. You can get this information at the very top of the diagnostic page that says “Diagnostic page for <URL>”, where URL is the topmost level at which all web pages are blocked. Examples:

blog.example.com/pages/page1.html – only this page
blog.example.com/pages/ - everything below /pages
blog.example.com – the whole blog
example.com - the whole domain and its subdomains.

This information can help you narrow down your searches to specific sections of your site.

When? Then find out when Google last visited your site (scan date) and when the suspicious content was last found (discovery date). You can find these dates in the “What happened when Google visited this site?” paragraph. You should match these dates with the date of the last attempt to cleaned up the site (cleanup date).

Here's what you should know about these dates:

Google doesn't scan your site every day. The Internet is big and it may take weeks between consecutive scans of your site.

Google is not aware of anything that happened to your site after the scan date. If you want Google to pick up your latest changes, you should request a malware review via Google Webmaster Tools - this will make Google rescan your site within a few hours.

If your site is blacklisted, the scan date and the discovery date are usually the same.
In some cases, the site can be blacklisted but the scan date is more recent than the discovery date. It is important to correctly interpret this situation.

Google's unofficial explanation is confusing: “The review may have found "suspicious" content that was not "suspicious" enough to have added the site to the malware list - but it is "suspicious" enough to prevent it being removed from the list”.

In our experience, this usually means that Google hasn't found anything suspicious on the site but they are not sure if this is a permanent change or just an attempt to game their system. So they put the site in quarantine and it may take one or more scans before they are sure the change is permanent and the warning is removed.

What can trigger such a situation?
- You have cleaned up your site but didn't request a malware review. - Without the request it may look as if you've removed the malicious code from some pages but you still need to fix many more pages and they should wait for your explicit request when you are done.
- You have removed infected (or all) web pages and requested the review. - Google may think that you can restore infected web pages after a successful review. Instead of removing web pages you should remove only the malicious content.

Why? If you still don't know why Google thinks your site is suspicious, the information about malicious and intermediary domains may help you identify and locate the source of the problem.

This information can be found in the “What happened when Google visited this site?” section of the diagnostic page. Check for sentences that read like the following:

“Malicious software is hosted on N domain(s), including <malicious domains here>”

“N domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including <intermediary domains here>”

One way or another, there should be traces of these domains on compromised sites. It may be a hidden iframe, or external script, or unauthorized redirect. So start with scanning your files for these domain names.

Intermediary domains should be your priority in the investigation. This is where malicious content from your site links to.

Sometimes, when hackers point a compromised site directly to servers with malicious content (or when Google can't determine the final destination of the malicious chain), the diagnostic page won't mention intermediary domains and you should be looking for the malicious domains.

What if you can't find references to the malicious domains?

Unfortunately, references to malicious sites are usually obfuscated and cannot be revealed by simple scans. Please note that hackers change domain names of their sites pretty often (so that they can't be blocked) and they can update malicious content on compromised legitimate websites every day to make sure that they link to new domains. As a result, Google's diagnostic page may mention malicious and intermediary domains that can no longer be found on your site (they have been replaced with new domains already)

If you can't find the “bad” content, try searching the web for the domain names listed on the diagnostic page. The chances are that someone else has already figured out how those domain names are involved in website exploits.

Search selected specialized sites

Custom Search

One of the places where you can find reviews of prevalent hacker attacks is my Unmask Parasites blog.

You might also want to ask for help in the "Malware & hacked sites" section of Google's Webmaster Help forum or at BadwareBusters.org.

Malware Details

Since October 2009 Google provides an experimental feature called "Malware Details." If your site is blacklisted, in the Labs section of Google Webmaster Tools you can choose the Malware details option and see samples of malicious content detected on your site. Note, this feature is experimental and in certain situations Google won't be ableto provide useful information there.

If you are new to this site you might want to check your web pages for suspicious content

2. Clean Up Your Site

Once you've identified the source of the problem, you should clean up your site and take action to prevent reinfection.

Usually the easiest way to clean a site is to restore everything (files, database, configuration files) from a clean backup copy.

Make sure hackers haven't left any backdoor scripts on your server. Malicious files can be hidden deep in the directory structure and may look like legitimate files. So you might want to delete everything before restoring the site from a backup.

When your site is clean, you should prevent reinfection. Hackers use automated tools and can update malicious content on compromised sites every day. So if you don't secure the site it may be blacklisted again very soon, or won't even pass the malware review altogether.

It is important to investigate the issue and identify the security hole so that you know what caused your specific problem and what should be done to prevent it.

Every case is different so there cannot be universal instructions, just best practices.

Start with PCs that you use to work with the site. It's important to keep them virus-free.
- Scan for malware
- Keep your essential software up-to-date (online test by Secunia):
  - OS
  - web browser
  - browser plugins (i.e. Flash, Java, Adobe Reader, QuickTime, etc.)
  - anti-virus and/or anti-spyware tools
- Use browser security extensions like NoScript to minimize risks of being infected while surfing the web.
Change all site passwords. Refrain from saving new passwords in FTP programs where malware can easily steal them from.
If possible, use only secure protocols like SFTP or FTPS. FTP is an insecure protocol that transmits your credentials unencrypted (in clear text), which makes it easy to steal them. Most modern FTP-clients support secure protocols and you don't have to learn how to use new programs - just change the protocol in the settings. If your hosting plan doesn't include support for secure protocols, you might want to find another web host that provides this feature.
Update all third-party scripts. If you use any third-party software on your site (blog, forum, CMS, wiki, e-commerce solution, etc), make sure its version is up-to-date. Hackers specifically target vulnerabilities in popular scripts and with their automated tools, they can start a massive attack against vulnerable sites just a few hours after the discovery of a new security hole. So if the vendor of the script releases a security patch, it's in your best interest to upgrade as soon as possible. (You can check security advisories for your software at Secunia.)

3. Request Malware Review

This step is required if you want to quickly remove your site from Google's blacklist. Once you submit the request, it'll take just a few hours to complete the review and remove the warning if your site is clean. Without the request, it may take several week before your site's status is cleared.

The request does two important things:

It tells Google that the owner of the site is aware of the problem and has already taken action to remove malicious content. This shifts the odds in your favor when they make decisions after ambiguous results of scans.
It puts the site on a priority list (it should be scanned within 24 hours)

To be able to request the review, you should add your site to Google Webmaster Tools and verify ownership of the site. Make sure to add the www and non-www versions of the site (you'll need to request the review at the level where your site is blocked).

Once the site ownership is verified, open the site in Webmaster Tools. In the Dashboard, you'll see a prominent message in a red frame that says "This site may be distributing malware". Click on the link that says "More Details" to expand it. At the bottom of the message click on the "Request a review" link.

Alternatively, you may find the "Request a review" link on the "Malware" page of the "Diagnostics" section.

What if you don't see the "This site may be distributing malware" warning?

You may need to wait for a couple of hours before Webmaster Tools pick up the new status of the site.
If you don't see the warning in the Dashboard for example.com, try to check the Dashboard for www.example.com.
Are you sure your site is blacklisted? Sometimes you can see a warning in a browser but the site itself is not blacklisted. This happens when your browser detects in real time that a web page contains elements from a malicious site. This is called a cross-site warning. In this case you should clean up the site, but the malware review is not required.

Don’t be afraid to request the review even if you are not sure that your site is completely clean. If any security issues are detected during the review, they will be reported in your Webmaster Tools account. Then you can fix them and request another review.

Don’t delete infected web pages. If Google reports specific URL as examples of web pages where malicious content was found, it expects to find these pages clean during the review. If the pages cannot be found, it may be considered as if they were temporarily removed just to pass the review. If you don’t need specific pages, try to empty them (you can remove them after a successful review) or configure your web server to return the 410 Gone error.

Malware Review vs Reinclusion Reconsideration

Don't confuse requesting a malware review with requesting reconsideration of your site (for reinclusion into search index). Malware reviews are automated and usually take less that 24 hours while breinclusion reconsiderations are not automated and may take several weeks. Blacklisted sites are not removed from search results (they are just labeled as potentially harmfull), so if you only need to remove the warning the reconsideration request is not for you.

Do you need help to clean up your site and get rid of malware warnings?

Useful links

Google Webmaster Tools - register your sites here

Forums where you can ask for help if your site is blacklisted

Google Webmasters/Site owners Help

My site's been hacked

Official Google Webmaster Central blog

Malware? We don't need no stinking malware! October 24, 2008
Hey Google, I no longer have badware August 21, 2008
Best practices against hacking February 20, 2009

Google Online Security blog

Best Practices for Verifying and Cleaning up a Compromised Site October 22, 2009

Oliver Fisher's blog

Diagnosing the Diagnostics - series of articles about Safe Browsing diagnostic pages
Suspicious and Really Suspicious January 29, 2009
Cross-site Warnings January 23, 2009

25 Years of Programming

How to remove the "This site may harm your computer" warning from your website's listings in Google search results, step by step

StopBadware.org

Tips for Cleaning & Securing Your Website

This guide is licensed under a Creative Commons Attribution Non-Commercial Share Alike 3.0 License