Monday, 12 October 2009

The Malware Warning Review Process



As part of Cyber Security Awareness Month, Google's Anti-Malware Team is publishing a series of educational blog posts inspired by questions we've received from users. October is a great time to brush up on cyber security tips and ensure you're taking the necessary steps to protect your computer, website, and personal information. For general cyber security tips, check out our online security educational series or visit http://www.staysafeonline.org/. To learn more about malware detection and site cleanup, visit the Webmaster Tools Help Center and Forum.

Google's anti-malware efforts are designed to be helpful to both webmasters and website visitors. Google continuously scans our web index for pages that could be dangerous to site visitors. When we find such pages, we flag them as harmful in our search results, and also provide this data to several browsers so that users of these browsers will receive warnings directly. We undertake this process as part of our security philosophy: we believe that if we all work together to identify threats and stamp them out, we can make the web a safer place for everyone. While we believe these processes are important steps in helping to protect our users, we also understand the frustration felt by the webmasters of flagged sites. This is why we notify webmasters as soon as we discover that their sites have been compromised. Additionally, we provide webmasters with a tool to file a review once they have cleaned their site. The review process works as follows.

Part 1: The webmaster's job: The first step is site cleanup. The webmaster should remove all harmful content from the site. We realize that it can be tricky to find all the infections on a website, and webmasters should look thoroughly if the warning label persists. Keep in mind that if your site contains elements from another website that may have been compromised, it will remain flagged. This is because your site could still introduce harm to visitors. To prevent reinfection, the webmaster should also identify and fix the underlying software vulnerability that led to site compromise in the first place. For a guide on how to do this, visit stopbadware.org/home/security.

Once a webmaster has cleaned up the site, a Malware Review can be filed with Google's Webmaster Tools (please note that a Malware Review request is not the same as an Index Reinclusion request). The process for Malware Review is as follows:
  1. Log in to Webmaster Tools.
  2. From the Tool's home page click on the link to the site that is being flagged. This will bring you to the site's Dashboard.
  3. There should be a large red banner across the top of the dashboard that says "This site may be distributing malware." Clicking on the link that says "More Details" expands the dashboard to reveal a list of pages on the site that were found to be malicious.
  4. Below this list is a link that says "Request a review." A webmaster can fill out this form and click the "Request a review" button to initiate the review process.
More detailed instructions can be found here.


Part 2: Our job: Upon receiving a Malware Review request, an automated set of algorithms verifies that the site has been cleaned. These algorithms revisit a subset of both the malicious and non-malicious pages that were scanned when the site was originally flagged. Additionally, these algorithms test some pages that were not originally scanned. If none of the tested pages are found to be malicious, the site is deemed to be safe, and warnings are removed from search results. A typical appeal takes only several hours to complete, although in some cases the process may take up to one day.

In addition to processing appeal requests from webmasters, we also rescan compromised sites periodically.

We encourage webmasters of infected sites to quickly clean their web pages and proactively request reviews through Webmaster Tools. After the site has been thoroughly cleaned and reviewed, it will no longer show a warning on Google's search results pages or through the browsers making use of our data.


No comments: