Malware and unwanted software
Google checks websites to see whether they host downloadable executables that negatively affect the user experience. You can see a list of any suspected files hosted on your site in the Security Issues report.
What is malware?
Malware is any software or mobile application specifically designed to harm a computer, a mobile device, the software it's running, or its users. Malware exhibits malicious behavior that can include installing software without user consent and installing harmful software such as viruses. Webmasters sometimes don't realize that their downloadable files are considered malware, so these binaries might be hosted inadvertently.
- See Protecting users from malicious downloads in our Google Online Security Blog for more on how Google helps protect users from malicious downloads.
- See our Unwanted Software Policy for our criteria for safe software on the web.
What is unwanted software?
Unwanted software is an executable file or mobile application that engages in behavior that is deceptive, unexpected, or that negatively affects the user's browsing or computing experience. Examples include software that switches your homepage or other browser settings to ones you don't want, or apps that leak private and personal information without proper disclosure.
- See That’s not the download you’re looking for... in our Google Online Security Blog for more on how Google helps protect users from unwanted software.
Be sure that you do not violate the Unwanted Software Policy, and follow the guidelines given here. Though this list isn’t comprehensive, these behaviors can cause apps and websites to display warnings to users upon downloading and visiting. You can see a list of any suspected files hosted on your site in the Security Issues report.
Don't misrepresent yourself
- Accurately inform users of a software’s purpose and intent. Users should download the software intentionally, with accurate knowledge of what will be downloaded, by clicking on an accurate advertisement that clearly informs the user of what will be downloaded. Advertisements leading the user to the download should not be deceptive or inaccurate, such as:
- Those claiming to update Flash if the program downloaded is unrelated to Flash.
- An ad that only contains the words "Download" or "Play" without identifying the software it advertises for.
- A "Play" button that leads to a download.
- An ad that mimics the look and feel of the publisher’s website and pretends to offer content (for example, a movie) but instead leads to unrelated software.
- Read about Social Engineering in our Online Security Blog.
- Behave as advertised. Your program should be clear about its functionality and intentions. If your program collects user data or injects ads into a user's browser, package these behaviors in clear language and do not frame them as insignificant features.
- Use endorsements only when authorized. Don’t use other companies’ logos in an unauthorized way to legitimize or endorse a product. Don’t use government logos without authorization.
- Don’t scare the user. Software should not misrepresent the state of the user’s machine to the user, for example by claiming the system is in a critical security state or infected with viruses. Software should not claim to provide a service (for example, "speed up your PC") that it does not or cannot provide. For example, "free" computer cleaners and optimizers should not be advertised as such unless advertised services and components require no payment.
- Use the Google Settings API if your program changes Chrome settings. Any changes to the user’s default search settings, startup page, or new tab page must be made via the Chrome Settings Override API, which requires the use of a Chrome extension, as well as a compliant extension installation flow.
- Allow browser and operating system dialogues to alert the user as intended. Do not suppress alerts to the user from the browser or from the operating system, notably those which inform the user of changes to their browser or OS.
- We recommend that you sign your code. While an unsigned binary is not a reason for flagging your binary as unwanted software, we recommend programs have a valid and verified code signature issued by a code-signing authority that presents verifiable publisher information.
- Don’t degrade the security and protection measures provided by TLS/SSL connections. An application may not install a root certificate-authority certificate. It may not intercept SSL/TLS connections unless designed for experts to debug or investigate software. For more details, see the related Google Security Blog post.
- Protect user privacy. Software, including mobile apps, must only transmit private user data to servers as it is related to the functionality of the app, and these transmissions must be both disclosed to the user and encrypted
Chrome extension guidelines
- All extensions need to be disclosed and installed in Chrome to be policy-compliant. Extensions must be hosted in the Chrome Web Store, disabled by default, and compliant with Chrome Web Store policies (including the single-purpose policy). Extensions installed from a program must use the authorized Chrome Extensions installation flow, which will prompt the user to enable them within Chrome. Extensions may not suppress Chrome dialogues alerting the user to settings changes.
- Instruct users on how to remove a Chrome Extension. A good user experience is when a user uninstalls a program, everything that was installed along with it gets removed too. The uninstallation flow should include instructions for the user to disable and delete the extension themselves.
Fixing the problem
Ensure that your site or application follows the guidelines above, then follow additional steps below.
It can be frustrating to learn that one of your downloadable files contains malware or unwanted software, and we want to help you resolve the issue. We can't provide exhaustive instructions to address every situation, but the following recommendations should help you isolate the issue quickly. For feedback specific to your software, please refer to the Webmaster Help Forum.
If your mobile application is showing warnings, read here about app verification and appeals.
After you ensure that your downloadable program complies with the following guidelines, you can request a review of your status. A review can take 2-3 days to complete. Below are general guidelines for good software practice, but for more specific examples, please see Common Violations of the Unwanted Software Policy.
- Start with antivirus software. Use antivirus software to scan the binaries and other content hosted on your site. Antivirus software finds many types of malware and unwanted software but, unfortunately, not all types. Submitting your software to an anti-virus program (or an anti-virus consolidation service, such as VirusTotal) will give you an indicator of potential issues with your software. Google Safe Browsing applies its own criteria to determine whether a program or binary is unwanted software or malware.
- Explicitly and clearly explain to the user what browser and system changes will be made by your software. Allow users to review and approve all significant installation options and changes. Your program’s main UI should clearly disclose the binary’s components and their primary functionality. The binary should offer an easy way for the user to skip the installation of bundled components. For example, hiding these options or using grayed-out text is not good disclosure.
- Protect user data. If your program or mobile application collects and transmits user data, the data transmitted should only be related to the program’s stated purpose, and the collection and transmission should be clearly disclosed to the user. Transmission of user data should be encrypted.
- If your binary installs a browser add-on or changes default browser settings, it should follow the browser-supported installation flow and API. For example, if the binary installs a Chrome extension, it should be hosted in the Chrome Web Store and adhere to the Chrome Developer Program Policies. Your binary will be identified as malware if it installs a Chrome extension in violation of the Chrome Alternative Extension Distribution Options policy.
- Do no harm. Your binary should respect and not harm the user's browsing experience. Make sure that your downloadable binaries adhere to the following common policies:
- Do not break the browser's reset functionality. Read about the reset browser settings button in Chrome.
- Do not bypass or suppress the browser's or operating system's UI control for setting changes. Your program should provide users proper notice and control over settings changes that occur in the browser. Use the Settings API to change Chrome settings (see this Chromium Blog post).
- Use an extension to change Google Chrome functionality, rather than causing browser behavior change via other programmatic means. For example, your program should not use DLLs (dynamically linked libraries) to inject ads in the browser, should not deploy proxies that intercept traffic, should not use a Layered Service Provider to intercept user actions, or insert new UI into every web page by patching the Chrome binary.
- Your product and component descriptions should not scare the user and/or make false, misleading, claims. For example, your product should not make false claims about how the system is in a critical security state or infected with viruses. Programs like registry cleaners should not show alarming messages about the state of a user’s computer or device, and claim they can optimize the user’s PC.
- Make the uninstallation process findable, simple, and non-threatening. You program should have clearly-labeled instructions for returning the browser and/or system to its previous settings. The uninstaller should remove all components and not deter the user from continuing the uninstall process, for instance by claiming potential negative effects on the user’s system or privacy if the software is uninstalled.
- Keep good company. If your software bundles other software components, you are responsible for making sure that none of these components violate any of the recommendations above.
If Google Safe Browsing hasn't seen a particular binary before, Chrome may warn that it is uncommonly downloaded and could be dangerous. In these cases the warnings are lifted automatically if Google Safe Browsing verifies that it is benign.
If your site is showing uncommon download warnings, you can also request a review in Search Console.