Diagnostics makes regular, periodic evaluations of your Analytics implementation, and provides notifications as a gentle reminder of how to keep Analytics tuned to ensure the best data, performance, and analysis.In this article:
Analytics regularly communicates with Google Search Console to identify domains that may be serving malware to their end users. The system looks at results of the Google-search crawl on websites associated with Analytics accounts, which uses proprietary software and processes to identify sites that may be serving malware.
If it appears that your GA property is tracking sites that Google’s Safe Browsing team has marked as potentially serving malware, and you are an admin on this property, then a notification will appear to alert you of the problem:
Malware refers to software that is designed to harm a computer, the software it’s running, or its users. Malware exhibits malicious behavior that can include installing software without user consent and installing harmful software such as viruses.
If you see this warning, it’s likely that your site has been compromised by a malicious actor in order to distribute malware to your visitors. Our goal is to protect the broader internet and your business by ensuring that your websites are not compromised by 3rd parties acting without your and your end users' consent, and that your end users have an enjoyable and safe experience on your websites.
Diagnostics, and Google’s search crawler, are not able to crawl pages that are not publicly available. So, Google Analytics may miss pages that are serving malware and fail to surface a notification. Therefore, you should not consider this warning a comprehensive audit of your website, and you should proceed with a full evaluation of all webpages if you see this warning.
Crawl frequency varies from a few days up to several weeks, so keep in mind that recent changes or fixes may not be reflected in the results until the page is re-examined. However, the Safe Browsing team will conduct the review within 72 hours, so be sure to request a review once any issues are remedied, and check back at the Search Console for updates.
Investigate and fix
After you receive the malware notification, first investigate whether your site has been hacked by following these instructions. If you confirm that your site has been compromised, then you should take immediate steps to remove the offending site code. You should note also that the notification you received is not specific to the location of the malware, so you should conduct a broad audit to ensure completeness and confirm you have removed all offending code.
Upon completion, you should request a review of your site by following these instructions.
Reported sites do not belong to the website
If the website(s) mentioned in the notification belong to a domain that you do not recognize, that website likely specified your Analytics account in its tracking code by accident. First, you should create a filter to exclude the unwanted traffic data from that domain as soon as possible. Then try contacting their webmaster to correct the problem.
If the website(s) mentioned in the notification belong to a recognizable or related domain, but should not be considered a part of the website, you probably have multiple websites under the same domain, with unclear site boundaries. In either case, you should address the malware notification directly, or contact the appropriate site owner to address the problem.
Your site is clean, but you still see the alert
If you have resolved all your known issues but still see the notification, then it’s possible that Google simply needs to reevaluate your site. Request that Google re-crawl your website as soon as possible by following these instructions.
If the notification persists, you should raise the issue within the webmaster support forum.