The content of the post is very short and almost coincides with the title: yes, indeed, recently Mail.Ru Rating checks the sites that have installed the counter for viruses and warns the webmaster if suspicions arise. We did not write our antivirus, but used the technology of our partners. But apart from this brief announcement, there are two more interesting questions that I would like to highlight in more detail. These are the questions “why?” And “how?”.

Let's start with why. No matter how funny and paradoxical it may sound, but in 2015, viruses on the sites still exist. Yes, indeed, on large projects on the scale of Mail.Ru or Amazon, the triggering of the antivirus most likely means false positive for some particularly tricky adware or analysis code. The last case of a worm that came to my head on a large project, it turns out, as much as 2007 (as it was yesterday ...). It is unlikely that he is really the last, but compared to the loud password leaks that occur almost once a month - the difference is huge.

With small sites, a completely different picture. In terms of protection against the spread of viruses, they are frozen in the distant past. Components installed from unverified sources and the password “123456” to the admin panel are still encountered inadmissibly often, and the webmasters who installed them still believe that everything is in order. We learned the specific numbers already after the launch of the check, but they didn’t become a big surprise: out of about a million websites of our clients, more than 11,000 were infected. And they, of course, need to be warned about this. It is said - done, and here we smoothly turn to the question "how."
')
We could either do everything ourselves, or find a company that has the solution we need. Understanding that website diagnostics is a rather specific task and not for our profile, we were inclined to the second option: we decided to find a suitable company. As it turned out, in terms of the characteristics, the relatively young Russian service “Virusday” ( virusdie.ru ) turned out to be the best option for us. It is a cloud antivirus and firewall, which, among other things, detects viruses on sites and prevents re-infection. On test samples, their results were no worse than eminent competitors, while there were no technical limitations on performance (and we had to work with millions of sites) and, importantly, it was easy to agree with them.

Creating a new service

For us and for Virusday, this kind of cooperation was the first, so we had to program on both sides. Previously, their code has always been implemented on the client side. Now they have raised a separate API for external verification of sites, and we add and remove URLs from it. Antivirus bot bypasses its base once a day. Based on the test, it generates a report that contains:

• list of detected infections;
• list of suspicious activities and files;
• information on whether the checked site is in any black lists (in the framework of SafeBrowsing programs).

Also, once a day, we send out alerts to the new "sick." In addition, an immediate check occurs when adding a new site to the Rating.


Innovative architecture of our interaction.

Result

So, now we have a new section “Site Security” in the Mail.Ru Rating, which contains the result of site checking with the Virusday service, with a detailed description of the verdicts and recommendations. In addition, we additionally notify our users of the threats that have appeared on their websites by sending them emails.



All sites are checked once a day, and each of our users now receives up-to-date information about the security status of their site. According to our statistics, the most common malicious redirects and unauthorized ad units (in the amount of about 40% of cases). Top 10 looks like this:

• Trojan.Inject
• Iframe.hidden.2
• Eval.hexencoded
• Trojan.Inject.HideUrl
• Doubt.JS.eval.unescape
• JS.BlacoleRef
• Doubt.Doc.write.unescape
• HTML.BlacoleRef
• DOM.iframe.hidden.1
• Doubt.101widgets

No company specializing in anti-virus protection can guarantee 100% or even 99% reliability of the proposed service. Nevertheless, complaints about the false detection of viruses are currently rare. We are not ready to estimate the number of missed threats, but whatever it may be, there are still fewer viruses in RuNet - at least 1000 sites have already been cleared due to the introduction of this service.

And instead of concluding - a few words about our partner, the company Virusday, they themselves say:

The concept of the “Virusday” service is quite simple: it allows you to remove malicious code (viruses, shells, etc.) on websites automatically and at the same time not to disrupt the performance of a web resource. We also provide a firewall to protect the site, which is installed automatically and does not require any configuration. You can connect an unlimited number of sites to the service and manage all the tools directly through your personal account. “Virusday” is very easy to use and is intended not only for webmasters, but also for website owners who do not have special knowledge or skills.