Why are you reading this? Go outside. Do something meaningful with your life.

Tuesday, July 21, 2009

Diagnosing the Diagnostics: Domain Summary

This is the second part of a series about Google's Safebrowsing Diagnostics page.

The first section of the diagnostics page (What is the current listing status for my site?) displays a summary of the status of the domain. It indicates whether the domain is currently listed in Google's Safebrowsing malware list. It may also list the number of times in the recent past that the domain has been added to and removed from the malware list.

Both these simple facts can be somewhat surprising...

A user or webmaster may see a malware warning in their browser when visiting a page. But the diagnostic page for that site may state that the domain is not currently on the malware list. This is usually a Cross-Site Warning. The domain is almost certainly infected with malware because users' browsers blocked requests to other malicious domains.

Webmasters may also find that their site has been added to the malware list numerous times. This may be an indication that the webmaster is cleaning up the infection on the server without closing all vulnerabilities. When Google's scanners process the malware review, the site is temporarily clean, so it is removed from the malware list. But because the server is still vulnerable, malicious content may be re-injected within hours. Google's malware scanners will quickly detect this and put the site back on the malware list.

Finally, for very new infections, the diagnostics page may be temporarily out of date. Google immediately flags sites found to be malicious and sends email to the webmasters. An alert webmaster who quickly notices that their site has been flagged may find that the diagnostics page lists their site as clean or even completely unscanned. The diagnostics page will update shortly - usually within a couple of hours.

The next post will deal with the most important section of Google's Safebrowsing Diagnostics page: What happened when Google visited this site?

Diagnosing the Diagnostics series:


UseShots said...

>It may also list the number of times in the recent past that the domain has been added to and removed from the malware list.

I haven't seen the page saying "this pages had been found suspicious N times during the last 90 days". What do mean by "the number of times..."?

UseShots said...

Oops. Just found this:

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.