Qualys Malware Detection FAQ
- Why is Qualys Malware Detection needed?
- My website is behind a firewall and hosted by a reputable ISP. Am I really in any danger of getting malware on my site?
- How does Qualys Malware Detection work?
- Does Qualys Malware Detection impact my site?
- Is Qualys Malware Detection Service the same as using an antivirus program?
- Does Qualys Malware Detection Service use signatures like my antivirus program to find malware on my website?
- I know it is bad for the people who visit my website if they get infected from me, but does it have any direct effect on me or my website?
- Do I need to install anything on my website to use Qualys Malware Detection Service?
- How will I be notified if malware is found on my website?
- What should I do if malware is found on my website?
- How many web pages can I scan with Qualys Malware Detection?
- What pages within my website are scanned by Qualys Malware Detection?
- Will Qualys use this scan data for any other purposes?
Why is Qualys Malware Detection needed?
Qualys Malware Detection (MD) helps protect your organization's reputation and keeps your website from being blacklisted by search engines by detecting malware that users may be infected with by visiting your site. Your organization doesn't even have to be the source of the malware – it may be that third party content from ad or metrics services that are utilized by your website that infects your users. But even if it isn't your content, if your website is used as the conduit for the infection, your website may be blocked by search engines and your organization is at risk of losing revenue and sustaining reputational damage.
My website is behind a firewall and hosted by a reputable ISP. Am I really in any danger of getting malware on my site?
Yes! In research done by security company Sophos, they discovered that 21,000 web pages were getting infected every day. These web pages belong to innocent companies and individuals whose site had been compromised by cyber criminals. Many of these websites had security in place. The principle of 'defense in depth' means that you need multiple layers of security and detection to keep your systems safe, and Qualys MD provides an additional necessary layer of detection.
How does Qualys Malware Detection work?
The service browses your website just a like a user would on a scheduled basis. The service employs four different types of detection methods to identify any potential malware.
- Behavioral Analysis: The most powerful is advanced behavioral analysis that is performed via an instrumented browser that identifies when an infection takes place. Behavioral analysis does not rely on signatures so it can detect even zero day malware, something signature based detection can't match.
- Reputation Checks: Links to external web pages are checked against reputation services to determine if they are untrusted.
- Antivirus: The service downloads and scans documents such as PDFs on the site using antivirus software.
Does Qualys Malware Detection impact my site?
No. Qualys MD browses your site just as a user would. The service does offer performance settings that allow you to conduct the scans at slower speeds that have the same impact as a single user, or you can choose to conduct the scans more quickly and this acts like there are more users browsing your site. These settings are completely configurable.
Is Qualys Malware Detection the same as using an antivirus program?
No. Antivirus programs attempt to find and stop malware from infecting a computer. But websites issue content not only from file systems, but from databases and from many third party providers such as website advertising networks. That being said, antivirus is used by Qualys MD to check for viruses in files – but it alone isn't reliable to identify websites that may be infecting users.
Does Qualys Malware Detection use signatures like my antivirus program to find malware on my website?
Qualys Malware Detection uses both signatures and the more advanced methods known as behavioral analysis. Signatures must find an exact match to the malware, which has become extremely difficult as cyber criminals have learned how to make small changes in every version of the installed code. Behavioral analysis tests to see if the website is modifying the browsing system in an abnormal way that would indicate it is infected. This is the most effective and advanced form of malware detection.
I know it is bad for the people who visit my website if they get infected from me, but does it have any direct effect on me or my website?
Yes. By delivering malware to visitors you incur a high risk of being added to blacklists from Google, Bing and other search engines, or URL blacklists from security vendors which will block visitors from getting to your website potentially damaging your valuable, hard earned brand reputation. The potential loss of revenue as a result of this could be devastating.
Do I need to install anything on my website to use Qualys Malware Detection?
No. Once you have created your account, entered your website domain and verified that you are the owner of that domain, Qualys Malware Detection will analyze your website from our servers in the cloud with no need for any software to be installed on your web server or in your website code.
How will I be notified if malware is found on my website?
Immediately upon completion of a scan, you will be sent an email telling you if malware was found. By logging onto the Qualys Malware Detection management portal you can get all the details about the detected malware along with a prioritization of which malware issues you need to address first.
What should I do if malware is found on my website?
As some malware is more malicious than others, Qualys MD reports and prioritizes the issues for you so can identify the malware you need to address first. Please carefully review the malware details provided by the Malware Detection service.
The ideal way to remove malware is to use a known, clean backup to restore your site. You need to be certain that the backup is clean and no changes have been made to the site since the backup.
To remove malicious code, remove the suspicious block of script identified by the service in the malware details. You can look at malware details per web page in the malware scan details. Alternatively you can look at malware details by Qualys ID [QID] in the malware findings section and once you verify that the block of script doesn't belong, that section should be removed.
These are additional ways you can identify malware within an affected web page:
- Look for cases of "<script src=" followed by a site or file that you don't recognize as valid. To verify that a script file has been compromised, look a the contents of the script file and try to identify things that are out of place.
- Look for every "<iframe src" tag on your page and locate any that don't belong. This "src" will usually point to a site not in your control and this is typically hidden using tags like "height=0 width=0" or "style=display.none". Be aware that advertisers tend to use similar methods when doing legitimate ad tracing.
- Identify new files with suspicious or unknown names. Some files may also be in a suspicious location, such as .php file in your /images folder.
Once you have cleaned up your website, rescan using the Qualys MD to verify that the malicious code is gone. Important Note: Although removing malicious website code cleans up the problem on your website, it probably doesn't close the hole that allowed the malware to be installed in the first place. Please ensure your machines are fully patched and updated with no current vulnerabilities. You can also try Qualys FreeScan to get a detailed report on one publicly facing IP address, or Qualys SECURE Seal to do a comprehensive examination of your website.
How many web pages can I scan with Qualys Malware Detection?
You may scan up to 1,000 pages per site with the standard Qualys Malware Detection service. To scan more pages, simply contact a Qualys representative for a quote.
What pages within my website are scanned by Qualys Malware Detection?
When you configure a scan you are asked to enter the website or website URL. Generally that means something like www.example.com, which to us is the same as example.com. We call this the root domain. If you had entered bad.example.com then that entire string would be the root domain. Finally, if you entered example.com/about_us, the system would use example.com as the root domain. Another way to say this is that the root domain is whatever FQDN is part of the text you enter into the website URL field.
Whatever is entered in the website URL field is the starting point of a scan. The crawler looks for all the links on that page and validates that they are OK [not on any blacklist]. Next, the entire page source is examined against our static [signature and heuristics] engine to see if there are any obviously malicious or inappropriate scripts on the page. Then the current page is rendered in specially configured browsers in one of our Virtual Machines [VM] to see if any malicious behaviors are detected.
From the starting page, all links that include the root domain as part of the URL are then scanned in the same way as just described. That means if you started at the root domain of example.com and on that page we discovered good.example.com, then that page would be scanned just as described and so on until all links for the entire site [or up to the page limit] were completed. That would include pages such as example.com/about_us and ugly.example.com/green/warts.
If you had entered good.example.com as the root domain then the scans would examine a different and more limited range of pages. It would start at good.example.com and if example.com was detected on that page it would only confirm that the link was not blacklisted, but it would not crawl the page or look at the contents of that page in any way nor would it render the contents of that page in the browser VM. The crawler does not go past the boundary set by the root domain.
Finally, if you entered example.com/about_us as the root domain, the system would start the scan on that page but use example.com as the root domain. Therefore, the limit of the scan would be based on example.com although the scan would start at example.com/about_us.
Will Qualys use this scan data for any other purposes?
Yes. The scan data will be used in aggregate with other scans to improve the accuracy of the scanning service and to identify new threats and trends across the internet. The scan data is securely stored and handled. All use of the data is fully anonymized and can't be tracked to any specific IP address or website, so there is no danger of information about your website ever being disclosed.