Question: How does SiteCheck work? I just scanned a site that I think is compromised but the scanner is showing it as clean. Is my site really clean or did you make a mistake?
Answer: SiteCheck is our free, remote website scanner that works to identify if the provided site is infected with any type of malware (including SPAM) or if it’s been blacklisted or defaced.
Sounds simple, but being able to identify these issues remotely (without server access) is a very complicated task, and that’s why we do not guarantee 100% accuracy. If you see the “All clear” (green) result, it just means that when we scanned we couldn’t see anything malicious.
Sucuri SiteCheck is a free & remote scanner. Although we do our best, 100% accuracy is not realistic, and not guaranteed.
How SiteCheck works
SiteCheck is a remote scanner. It visits your site like an everyday user or search engine bot would and verifies if any of the pages have malicious code. In its simplest form, this is how it works:
- We re-visit the main page acting as a search engine bot.
- From the links we extract, we select 8-10 of them and visit them using different referrers and user agents.
- We run all those pages/links against our large malware database and perform multiple anomaly checks, comparing results between different user agents/referrers to see if there is anything hidden.
- We check all the included resources against multiple blacklists to see if anything has been flagged by blacklisting agencies like Google, McAfee, Norton, and others.
As you can see, we only have access to what is visible on the browser. If you have a hidden backdoor inside your wp-content/uploads, or a core file that doesn’t render content on the browser, it will not detect anything malicious. This means it might not detect the following:
- Phishing Pages
- Mailer / DoS Scripts
- Malicious Usernames
- Or any injections or changes that don’t present themselves externally.
There is one other very important condition that could impact the scanners detection – conditional malware. There are many new sophisticated strands of malware that apply rules to every visit by a user. Those rules will dictate when something does or does not display. Rules vary and some only display to Google IPs. Some display only once a day, once per IP, once a week, or under specific conditions on the client’s local configuration.
Because of some of these challenges, we introduced the server-side scanning for all paying clients (included in all of our plans). This scanner will crawl every file in your website directory and work to identify hidden backdoors, phishing pages, malware injections, spam, and other conditional type infections. Both scanners compliment one another and each are designed to detect certain things and help verify what the other catches.
Another benefit of our server-side scanning is it will generate an audit trail of any file changes, allowing us to see exactly when a compromise happened.
When you couple that with our manual audits done by our support team (a service included in all our plans), you’re receiving the most comprehensive review of your environment.
We hope this clarifies how SiteCheck works. If you have any questions, please feel free to engage our Labs team at firstname.lastname@example.org.
If you’re a customer, please note that there is no 100% solution to monitoring websites and detecting issues. This means that you’re not restricted to what our scanners detect. If you have a system or tool that is flagging something, or you see suspicious activity, you can engage the support team directly via our ticketing system.