Safe Browsing FAQs

For malware sites, we scan sections of our web index to identify potentially compromised websites. Then we test those sites by using a virtual machine to see if the machine gets infected. We use statistical models to identify phishing sites.

In this data, a 'website' refers to the hostname or fully qualified domain name of a URL (e.g. somehost.example.com). When we scan a site and identify malicious hosts, we count each distinct host.

Our Safe Browsing technology scans our web index on a daily basis to identify unsafe websites.

We work very hard to maintain accurate information and have had very few false positives.

No. Safe Browsing is designed with users’ privacy and security in mind, so we don't require users to share the sites that they're visiting with us. As a result, we tend to underestimate the number of warnings that we show every month. Chrome users who have volunteered to share information specifically about phishing and malware sites allow us to estimate the total number of warnings. Any time Safe Browsing sends data back to Google, the information is only used to flag malicious activity and is never used anywhere else at Google.

Our scanners can differentiate between the sites that exploit the browser and those that are compromised so that they lead to exploited sites. Sites that exploit the browser are attack sites.

Unsafe sites are added to our list of infected sites within minutes of detection, and on average it takes half an hour for them to appear externally.

Website owners who have cleaned their sites can request a malware review in Google Search Console. The site will be rescanned and is typically removed from the list within 24 hours if the scan is clean. We periodically check sites on our list to see if they are still infected.

To determine if a site becomes reinfected, we need to observe it for a certain period of time after it has been removed from our list. We compute the reinfection rate for a given week by dividing all sites that were removed and reinfected within three months of that week by the number of sites that were removed from the list during that week.

Malware can hide in many places, and it can be hard even for experts to work out if their website is infected. Our accuracy rate is very good, but you can submit your site for a malware review by following the instructions here.

You can report a website suspected of hosting or distributing malware here, or a suspected phishing site here.

Sites are often infected without the knowledge of the website owner. By showing that malware has been detected, we hope to encourage an AS to get in touch with the website owner within the network and work with them to correct the problem. Once web servers are cleaned up, the malware statistics published in the Transparency Report will improve.

We encourage operators to sign up for Safe Browsing Alerts for Network Administrators here. Registering your AS means that you will receive notifications if we detect that malware is being hosted on your network.

We rank the AS by dividing the number of compromised and/or attack hosts that we find by the total number of hosts our scanners observe in the AS.

No. Our scanners are specifically designed to look for the malicious parts of networks, so we may not see many of the good parts. The scanners do not see all the websites or hosts on a network, and the metrics we present here are solely based on what our scanners observe.

Not necessarily. It's possible that the AS itself may have some security weaknesses, but by definition larger networks host many different kinds of users and are generally more likely to host users that have malicious intent or poor security practices.

We geolocate IP addresses of the hosts that we encounter to determine which country/region a host belongs to. The IP addresses belonging to a particular AS may geolocate to more than one country/region. Therefore, an AS may appear in the data for more than one country/region.