Skip links

Ask Sucuri: How Does SiteCheck Work?

How does SiteCheck work?

Question: How does SiteCheck work? I just scanned a site that I think is compromised but the scanner is showing it as clean. Is my site really clean or did you make a mistake?

Answer: SiteCheck is our free, remote website scanner that works to identify if the provided site is infected with any type of malware (including SPAM) or if it’s been blacklisted or defaced.

Sounds simple, but being able to identify these issues remotely (without server access) is a very complicated task, and that’s why we do not guarantee 100% accuracy. If you see the “All clear” (green) result, it just means that when we scanned we couldn’t see anything malicious.

Sucuri SiteCheck is a free & remote scanner. Although we do our best, 100% accuracy is not realistic, and not guaranteed.

How SiteCheck works

SiteCheck is a remote scanner. It visits your site like an everyday user or search engine bot would and verifies if any of the pages have malicious code. In its simplest form, this is how it works:

  1. We visit the main page and extract the list of links, javascript files and iframes.
  2. We re-visit the main page acting as a search engine bot.
  3. From the links we extract, we select 8-10 of them and visit them using different referrers and user agents.
  4. We extract and scan all javascript files and iframes present.
  5. We run all those pages/links against our large malware database and perform multiple anomaly checks, comparing results between different user agents/referrers to see if there is anything hidden.
  6. We check all the included resources against multiple blacklists to see if anything has been flagged by blacklisting agencies like Google, McAfee, Norton, and others.

As you can see, we only have access to what is visible on the browser. If you have a hidden backdoor inside your wp-content/uploads, or a core file that doesn’t render content on the browser, it will not detect anything malicious. This means it might not detect the following:

  • Phishing Pages/li>
  • Backdoors
  • Mailer / DoS Scripts
  • Malicious Usernames
  • Or any injections or changes that don’t present themselves externally.

There is one other very important condition that could impact the scanners detection – conditional malware. There are many new sophisticated strands of malware that apply rules to every visit by a user. Those rules will dictate when something does or does not display. Rules vary and some only display to Google IPs. Some display only once a day, once per IP, once a week, or under specific conditions on the client’s local configuration.

Complementing SiteCheck

Because of some of these challenges, we introduced the server-side scanning for all paying clients (included in all of our plans). This scanner will crawl every file in your website directory and work to identify hidden backdoors, phishing pages, malware injections, spam, and other conditional type infections. Both scanners compliment one another and each are designed to detect certain things and help verify what the other catches.

Another benefit of our server-side scanning is it will generate an audit trail of any file changes, allowing us to see exactly when a compromise happened.

When you couple that with our manual audits done by our support team (a service included in all our plans), you’re receiving the most comprehensive review of your environment.

Conclusion

We hope this clarifies how SiteCheck works. If you have any questions, please feel free to engage our Labs team at labs@sucuri.net.

If you’re a customer, please note that there is no 100% solution to monitoring websites and detecting issues. This means that you’re not restricted to what our scanners detect. If you have a system or tool that is flagging something, or you see suspicious activity, you can engage the support team directly via our ticketing system.

If you have any questions about malware, blacklisting, or security in general, send it to us: support@sucuri.net – for all the “Ask Sucuri” answers, go here.

  • A lot safer for WordPress users to install a plugin like Website Defender or Wordfence which will help prevent hacking in the first place.

    These 2 plugins also alert you if there’s any changes in files and
    include other security features like limit login attempts which will help prevent brute force attempts to hack into your installation.

    These plugins also enable deeper detection of threats because they are installed on the server side.

    Web based security scanning is limited and not reliable which can provide a false sense of security.

    Thanks for writing this article Daniel and clearing up any confusion.

    • Daniel Cid

      Glad to help. Those plugins are indeed very useful and recommended. Our Premium WordPress plugin (available to all our clients) have similar options which include WAF (web application firewall), audit logs (yes, showing every activity inside WordPress) and integrity monitoring (detecting file changes). More info here:

      http://sucuri.net/wordpress-security-monitoring

      So yes, lots of good choices.
      thanks,

  • Thank you for the clarification Daniel. We offer the WordPress plugin to all our customers and it is a great defense mechanism.

    Your server-side scanner is also very effective.

    Thank you for keeping ClickHOST and our customers safe!

    Cheers, Carel.

  • I put the plug-in on every site I make or do work on. That uses WordPress. For the sites that do not I use Sucuri I wanted to ask if you guys had any thoughts about fire host?

  • Pingback: SiteCheck Extended – Making It Easier to Scan Your Websites | Sucuri Blog()

  • Pingback: Does Sucuri work with my host? Yes, Yes we do. | Sucuri Blog()