Why are you reading this? Go outside. Do something meaningful with your life.

Thursday, January 29, 2009

Suspicious and Really Suspicious

Google's Safebrowsing Diagnostic page lists "the last time suspicious content was found on this site". But what does "suspicious" mean?

Google's automated malware scanners have been highly accurate with an astonishingly low false-positive rate. Part of that success has been because their definition of "suspicious" actually means "has nasty malware". If the scanners aren't really sure that a site has malware, they won't add it to the malware list. And that's the definition of "suspicious" ("has nasty malware") that Google's Safebrowsing Diagnostic page uses - content bad enough to get a site added to the malware list.

When the scanners do a review of a site to check if it should be removed from the malware list, they use a more stringent definition of "suspicious". If there's any suspicious activity at all then the site will not be removed from the malware list. Often sites have been infected with malware in multiple ways and the scanners need to be sure that it has been thoroughly cleaned up.

Those different definitions of "suspicious" may cause confusion when looking at Google's Safebrowsing Diagnostic page for a site that has been reviewed. The review may have found "suspicious" content that was not "suspicious" enough to have added the site to the malware list - but it is "suspicious" enough to prevent it being removed from the list. Google's Safebrowsing Diagnostic page won't list the date of that review scan.

If you're looking for the status of a malware review, log into Google's Webmaster Tools - the same place you reqested the malware review. It will show whether the review succeeded and will list urls that were still found to be "suspicious".

6 comments:

UseShots said...

Google's Safebrowsing Diagnostic page won't list the date of that review scan.

Does this mean that only succesful review dates are listed? Or only automated scan dates listed and requested review dates are never listed regardless of their result?

Oliver Fisher said...

@UseShots - Good questions. In this context, there are three possible results of a test scan:
1) Clean - site gets removed from malware list and diagnostics page will reflect that;
2) Something's Fishy - site was partially cleaned up and doesn't meet the "very bad" threshold for being added to the list, but is still "somewhat bad" so won't be removed from the list; or,
3) Very Bad - site is still infected.

In all cases the time of last scan will be accurately reflected on the diagnostics page. In cases 1 and 3, the time that suspicious activity was last found will be accurately reflected. In case 2, the time that suspicious activity was last found will not be updated.

In all cases, the diagnostic page may take a few hours to update.

And, before anyone mentions it - yes, we should fix this to be more consistent and clear.

Mackos said...

Hi !
So then can you tell me what could going on with mine website www.megaporn.pl ?
It was flagged by google , i deleted whole malware etc. and checked it with unmaskparasites.com and badwarebusters. It was clean , so I requested to google for another check, they checked it and wrote (in webmastertools) that everything is ok , and they're deleting information about my website. And since then I'm waiting ... and nothing. How much can it take to delete that information ? What can I do to hurry up this process ?
(sorry for bad english)

Oliver Fisher said...

Mackos,

Please post your question in either Google's Webmaster Help forums (http://www.google.com/support/forum/p/Webmasters) or in stopbadware.org's forums. This is my personal blog and I can't help every person myself.

Mackos said...

Well at stopbadware.org's forums someone told me to ask here , and at http://www.google.com/support/forum/p/Webmasters noone answred for my question :/ (as a proof http://www.google.com/support/forum/p/Webmasters/thread?tid=3d4860acfe54a719&hl=pl&fid=3d4860acfe54a71900046450328c7522 ) So I'm in preety not nice situation...

Linda said...

Hey Oliver!
fellow Canuk here-this is great that all these tools for help in the malware warfare are coming at us. I struggled 3 years ago when a non profit site I was looking after was identified by Google- what a nightmare caught up in the orphan url thing. If Google hadn't caught it I never would have known! Wonderful online volunteer help from strangers literally led me through the night to fix it-wooo brutal episode that one. Hope you keep the tools coming and 'Da Bot' watchin!