QualysGuard Malware Detection Service FAQ



Index of FAQs

My web site is behind a firewall and hosted by a reputable ISP. Am I really in any danger of getting malware on my site?

YES! In research done by security company Sophos, they discovered that 21,000 web pages were getting infected every day. These web pages belong to innocent companies and individuals whose site had been compromised by cyber criminals. Many of these web sites had security in place. The principle of ‘defense in depth’ means that you need multiple layers of security and detection to keep your systems safe and MDS provides that necessary layer of detection.


Is QualysGuard Malware Detection Service the same as using an Antivirus program?

No. Antivirus programs attempt to find and stop malware from infecting a computer. However, they cannot and do not consistently prevent web sites from getting hacked by cyber criminals.


Does QualysGuard Malware Detection Service use signatures like my Antivirus program to find malware on my web site?

QualysGuard Malware Detection Service uses both signatures and the more advanced methods know as behavioral analysis. Signatures must find an exact match to the malware, which has become extremely difficult as cyber criminals have learned how to make small changes in every version of the installed code. Behavioral Analysis tests to see if the web site is behaving in an abnormal way – in a way that malware would behave. This is the most effective and advanced form of malware detection.


I know it is bad for the people who visit my web site if they get infected from me, but does it have any direct effect on me or my web site?

Yes. By delivering malware to visitors you incur a high risk of being added to blacklists from Google, Bing and other search engines or URL blacklists from security vendors, which will block visitors from getting to your web site and your valuable, hard earned brand reputation will be damaged. The potential loss of revenue could be devastating.


Do I need to install anything on my web site to use QualysGuard Malware Detection Service?

No. Once you have created your account, entered your web site domain and verified that you are the owner of that domain, QualysGuard Malware Detection Service will analyze your website from our servers in the cloud with no need for any software to be installed on your web server or in your web site code.


How will I be notified if malware is found on my web site?

Immediately upon completion of a scan, you will be sent an email telling you if your site is clean or if malware was found. By logging onto the QualysGuard Malware Detection Service management portal you can get all the details about the detected malware.


What should I do if malware is found on my web site?

If malware is detected on your web site there are many ways that it can be hiding in your source code. Please carefully review the malware details provided by the Malware Detection Service.


The ideal way to remove malware is to use a known, clean backup to restore your site. You need to be certain that the backup is clean and no changes have been made to the site since the backup.


To remove malicious code, remove the suspicious block of script identified by the service in the malware details. You can look at malware details per web page in the malware scan details. Alternatively you can look at malware details by Qualys ID [QID] in the malware findings section and once you verify that the block of script doesn’t belong, that section should be removed.


These are additional ways you can identify malware within an affected web page:


Once you have cleaned up your web site, please rescan using the Malware Detection Service to verify that the malicious code is gone. Important Note: Although removing malicious web site code cleans up the problem on your web site, it probably doesn’t close the hole that allowed the malware to be installed in the first place. Please ensure your machines are fully patched and updated with no current vulnerabilities. Try Qualys Freescan to get a detailed report on 1 publicly facing IP address, or QualysGuard SECURE Seal to do a comprehensive examination of your web site.


How do I change my password?

in the upper right of the management portal, under the “(Your Name)” drop down is a selection to change your password. Simply enter your current password and the new password [twice].


How many web pages can I scan with QualysGuard Malware Detection Service?

You may scan up to 2000 pages with the standard QualysGuard Malware Detection Service. If you require scanning of more pages, contact a Qualys representative.


What pages within my web site are scanned by the Malware Detection Service?

When you configure a scan you are asked to enter the web site or web site URL. Generally that means something like www.example.com, which to us is the same as example.com. We call this the root domain. If you had entered bad.example.com then that entire string would be the root domain. Finally, if you entered example.com/about_us, the system would use example.com as the root domain. Another way to say this is that the root domain is whatever FQDN is part of the text you enter into the Web Site URL field.


Whatever is entered in the Web Site URL field is the starting point of a scan. The crawler looks for all the links on that page and validates that they are OK [not on any blacklist]. Next, the entire page source is examined against our static [signature and heuristics] engine to see if there are any obviously malicious or inappropriate scripts on the page. Then the current page is rendered in specially configured browsers in one of our Virtual Machines [VM] to see if any malicious behaviors are detected.


From the starting page, all links that include the root domain as part of the URL are then scanned in the same way as just described. That means if you started at the root domain of example.com and on that page we discovered good.example.com, then that page would be scanned just as described and so on until all links for the entire site [or up to the page limit] were completed. That would include pages such as example.com/about_us and ugly.example.com/green/warts.


If you had entered good.example.com as the root domain then the scans would examine a different and more limited range of pages. It would start at good.example.com and if example.com was detected on that page it would only confirm that the link was not blacklisted, but it would not crawl the page or look at the contents of that page in any way nor would it render the contents of that page in the browser VM. The crawler does not go past the boundary set by the root domain.


Finally, if you entered example.com/about_us as the root domain, the system would start the scan on that page but use example.com as the root domain. Therefore, the limit of the scan would be based on example.com although the scan would start at example.com/about_us.


Will Qualys use this scan data for any other purposes?

Yes. The scan data will be used in aggregate with other scans to improve the accuracy of the scanning service and to identify new threats and trends across the internet. The scan data is securely stored and handled. All use of the data is fully anonymized and can’t be tracked to any specific IP address or web site, so there is no danger of information about your web site ever being disclosed.

Stay Connected with Qualys
Free Services & Trials
Qualys Community
Other Links