Google has marked my website as harmful for a file that does not exist
Background:
Recently, I encountered an issue where Google flagged my website as potentially harmful due to the presence of malware samples. These samples were uploaded, securely encrypted within a zip file, for the purpose of facilitating malware analysis by cybersecurity experts (Like virustotal (owned by Google), malware bazaar, etc.).
Actions Taken So Far: Upon discovering the situation, I promptly removed the identified malicious files from our website. Subsequently, I initiated a thorough review request with Google, outlining the steps taken to rectify the issue and enhance our website's security measures. However, despite these efforts, Google's response indicates that traces of malicious content are still present on our site.
Google said these are the malwares: https://ibb.co/QYJ8Fhq
When you try to go these links, you get this response: https://ibb.co/DVfztTj
Do you have any idea about fixing this situation ASAP? People can not log in to our app.
30 comments
[ 2.9 ms ] story [ 85.2 ms ] threadI disabled it.
They're just clicking the decline button, and its affecting our business.
Does your api use theses paths as well ?
Only the path '/download' seems affected. I don't understand why your api would use that though.
It could be caching, or it could be a policy thing. Websites that once hosted harmful content are probably much more likely than average to host it again. I do hope this can be reverted of course, I understand that the intention was not to be harmful (not that that would prevent a bad actor from pointing people to your download).
Have you made sure your robots.txt allows Google to scan and properly identify that the files have disappeared?
Also, how long have you waited? I wouldn't be surprised if it takes a few days for these sorts of things to make it through all the relevant systems. I do realise that's not very comforting when users are unable to use a website!
As an aside, to prevent this in the future perhaps, you mention that the files were encrypted. This should have prevented this because Google shouldn't be able to decrypt the file to understand that it is malware. Did you do the encryption from scratch or did you distribute the same encrypted file that might have been previously known about publicly, where Google might be able to pattern-match to known bad files? I would imagine you should be safe zipping and then encrypting the zip with your own encryption.
Disclosure: I do work at Google, but not on anything related to this, this is all just personal opinion based on work outside of Google.
Plus encrypting then zipping removes any compression opportunity so that's just a bad idea.
Not always!
https://en.wikipedia.org/wiki/CRIME
Also, the filename is not a unique indicator the identify a file as malware. I can put the filename as "Google Chrome.exe" and that doesn't mean this is a malware.
The second issue is, we just changed the our domain name and when i try to add it to "Authorized redirect URIs" for Oauth getting this error: "The request has been classified as abusive and was not allowed to proceed". So, i have no idea about what is going on about my domain.
- Using AES directly yourself with a strong password.
- Hosting behind authentication
- Using a different password per user.
This should a) make it effectively impossible to detect the malware, b) make it clear that the intention is for research and education only, and c) prevent bad actors from maliciously using your hosted repository of malware.
> when i try to add it to "Authorized redirect URIs" for Oauth getting this error: "The request has been classified as abusive and was not allowed to proceed"
Is this for Google OAuth? I don't know anything about this system, but I wouldn't be surprised if the data lags behind the up to date safe browsing database. Maybe try again tomorrow?
However there are still two ways to look at this: The defeatists will say that the open web of the old is now fubar, there is no point in building websites now because whatever you do you are at the whim of BigTechs to dictate the term of your website.
I try to keep more optimistic viewpoint. We can see that this is more or less the standard behavior of any antivirus measure, and your browser/antivirus service is tasked with an impossible job of deciding if the data it renders is benign or malicious, and whatever heuristic/criteria it comes up with is going to be leaky and cannot cover every edge cases. Platform should structure their system so that your components are localized, so it will be less susceptible to those kind of outage. Of the top of my mind, what step you should be taking: - Separation of domains between for your own assets/web and what the clients upload. A CDN, online bucket may help you here. - If you are doing a website builder, try to enforce the client to bring their domain to publish. Your default domain should be for evaluation purpose only.
It's hard world out there, sympathy to OP for being in this shitty position.
I can go host malware on my site now, get flagged, take it down, tell Google, get my site un-flagged, and re-host the malware. Google can play cat-and-mouse with me at the expense of its users, or just keep the site flagged until enough time has passed and/or if I make enough noise about it. It's not common for a site to intentionally host malware, and especially uncommon for sites to host malware for non-nefarious purposes.
And the problem is not about this, we removed all the files and Google said you didnt. They're not saying you're not trustable website, they said you still have the files but we haven't.
1. A bad actor is publishing a malware at example.com/malware-a.zip;
2. The antivirus measure block them;
3. They move it to example.com/malware-b.zip but tell Google that the site is free from all malware, because if Google hit the old url `example.com/malware-a.zip` it is a 404;
Should Google give the bad actor the benefit of the doubt, unblock them/ or keep blocking them?
Again, I'm not downplaying the shittiness of the situation both you are in right now, but again, this is the default behavior we are all expecting from any antivirus measure.
A better way of distributing malware sample for research maybe to serve them in a readonly FTP server. Your website only provide paths to the file, not the link itself. Google (probably?) won't be able to scan this FTP server.