Safe Browsing FAQs

How do you determine that a site is unsafe?

For malware sites, we scan sections of our web index to identify potentially compromised websites. Then we test those sites by using a virtual machine to see if the machine gets infected. We use statistical models to identify phishing sites.

How do you define a 'website'?

In this data, a 'website' refers to the hostname or fully qualified domain name of a URL (e.g. somehost.example.com). When we scan a site and identify malicious hosts, we count each distinct host.

How frequently do you scan your web index?

Our Safe Browsing technology scans our web index on a daily basis to identify unsafe websites.

How accurate is this information?

We work very hard to maintain accurate information and have had very few false positives.

Can you see whenever someone is visiting an unsafe website? How do you count the total number of warnings that you show?

No. Safe Browsing is designed with users’ privacy and security in mind, so we don't require users to share the sites that they're visiting with us. As a result, we tend to underestimate the number of warnings that we show every month. Chrome users who have volunteered to share information specifically about phishing and malware sites allow us to estimate the total number of warnings. Any time Safe Browsing sends data back to Google, the information is only used to flag malicious activity and is never used anywhere else at Google.

How do you tell the difference between a compromised site and an attack site?

Our scanners can differentiate between the sites that exploit the browser and those that are compromised so that they lead to exploited sites. Sites that exploit the browser are attack sites.

How quickly is a site added once you determine that it is unsafe?

Unsafe sites are added to our list of infected sites within minutes of detection, and on average it takes half an hour for them to appear externally.

How quickly do you take the site off the list once it’s been cleaned?

Website owners who have cleaned their sites can request a malware review in Google Search Console. The site will be rescanned and is typically removed from the list within 24 hours if the scan is clean. We periodically check sites on our list to see if they are still infected.

How is reinfection rate computed?

To determine if a site becomes reinfected, we need to observe it for a certain period of time after it has been removed from our list. We compute the reinfection rate for a given week by dividing all sites that were removed and reinfected within three months of that week by the number of sites that were removed from the list during that week.

If my website has been compromised and is now unsafe, what can I do?

We offer advice for website owners whose sites have been hacked here. It’s best to register your site at Google Search Console in advance of any problems so that we can notify you promptly and provide more information about the problems that we find.

What if I don’t think my site is infected?

Malware can hide in many places, and it can be hard even for experts to work out if their website is infected. Our accuracy rate is very good, but you can submit your site for a malware review by following the instructions here.

How do I report a website that is unsafe?

You can report a website suspected of hosting or distributing malware here, or a suspected phishing site here.

If my AS appears on the list of malware distributors, what can I do?

Sites are often infected without the knowledge of the website owner. By showing that malware has been detected, we hope to encourage an AS to get in touch with the website owner within the network and work with them to correct the problem. Once web servers are cleaned up, the malware statistics published in the Transparency Report will improve.

We encourage operators to sign up for Safe Browsing Alerts for Network Administrators here. Registering your AS means that you will receive notifications if we detect that malware is being hosted on your network.

How do you compare one AS to another?

We rank the AS by dividing the number of compromised and/or attack hosts that we find by the total number of hosts our scanners observe in the AS.

Do you have comprehensive information about an AS?

No. Our scanners are specifically designed to look for the malicious parts of networks, so we may not see many of the good parts. The scanners do not see all the websites or hosts on a network, and the metrics we present here are solely based on what our scanners observe.

If an AS appears high in the rankings, is it doing something wrong?

Not necessarily. It's possible that the AS itself may have some security weaknesses, but by definition larger networks host many different kinds of users and are generally more likely to host users that have malicious intent or poor security practices.

How do you map a host to a country/region? What is the relationship between an AS and a country/region?

We geolocate IP addresses of the hosts that we encounter to determine which country/region a host belongs to. The IP addresses belonging to a particular AS may geolocate to more than one country/region. Therefore, an AS may appear in the data for more than one country/region.
Main menu
10234357633687190827
true
Search Help Centre
true
true
true
false
false