Question: How does SiteCheck work? I just scanned a site that I think is compromised but the scanner is showing it as clean. Is my site really clean or did you make a mistake?
Answer: SiteCheck is our free, remote website scanner that works to identify if the provided site is infected with any type of malware (including SPAM) or if it’s been blacklisted or defaced.
Sounds simple, but being able to identify these issues remotely (without server access) is a very complicated task, and that’s why we do not guarantee 100% accuracy. If you see the “All clear” (green) result, it just means that when we scanned we couldn’t see anything malicious.
Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.
How SiteCheck works
SiteCheck is a remote scanner. It visits your site like an everyday user or search engine bot would and verifies if any of the pages have malicious code. In its simplest form, this is how it works:
- We re-visit the main page acting as a search engine bot
- From the links we extract, we select 8-10 of them and visit them using different referrers and user agents.
- We run all those pages/links against our large malware database and perform multiple anomaly checks, comparing results between different user agents/referrers to see if there is anything hidden.
- We also check all the included resources against multiple blacklists to see if there is anything being flagged by others or that we identified on other compromised sites.
As you can see, we only have access to what is visible on the browser. If you have a hidden backdoor inside your wp-content/uploads, or a core file that doesn’t render content on the browser, it will not detect anything malicious. This means it might not detect the following:
- Phishing pages that are only known to the attacker but have no direct links
- Hidden links or spam injection that we can’t attest that it was inserted by an attacker
There is one other very important condition that could impact the scanners detection – conditional malware. There are many new sophisticated strands of malware that apply rules to every visit by a user. Those rules will dictate when something does, or does not display. Rules vary and some only display to Google IP’s, some display only once a day, once per IP, once a week, or under specific conditions on the clients local configuration.
Because of some of these challenges, we introduced the server-side scanning for all paying clients (included in all our plans). This scanner will crawl all files in your website directory and work to identify hidden backdoors, phishing page, malware injections, spam and other conditional type infections. Both scanners compliment one another and each are designed to detect certain things and help to verify what the other catches.
Another benefit of our server-side scanning is it will generate an audit trail of any file changes, allowing us to see exactly when a compromise happened.
When you couple that with our manual audits (done by our support team and included in all our plans), you start building a very high level of detection confidence in all the sites we monitor.
We hope this clarifies how SiteCheck works, but if it does not, please ask more questions and we will be happy to respond. A very important thing that all clients need to understand is that our remediation services are not restricted to what we do detect. If at any time you feel you may be compromised you are never more than one support ticket away from us manually hunting it down and removing it for you.