Malware Clean Timeline & Expectations

Although SiteLock has an award-winning SMART File & Database Scanner, there are many situations where a SiteLock Security Analyst may need to perform a manual website review and clean. Below are some general timeline and expectations for you to consider when you have a SiteLock Security Agent working on a manual malware review or clean.

What happens during the malware clean process?

During the malware removal process a SiteLock Web Security Analyst will conduct a thorough, manual review of your website(s) and remove malware from your website code and database. SiteLock Web Security Analysts will also analyze your hosting account to identify potential issues and provide tailored recommendations for securing your hosting account and website(s).

For more information about the recommended follow-up steps once your website has been cleaned, see:

• Malware Clean Follow Up Steps

Can I make changes to my website while SiteLock is performing the clean?

No. During the malware clean, we ask that you stay out of the website and not make changes or try to complete work. Working in the account simultaneously will lead to conflicts. If we detect changes being made during the cleaning process, we will place the ticket on hold until we get confirmation via email that you have completed any work. This will delay your malware clean process.

How long will the malware clean take?

Without any other factors, we typically advise roughly 6 hours per website being cleaned. This allows us to complete multiple internal scans, review your website files and database based on our scan findings, and review other files outside of your website root that may be impacting security.

Please note, if additional website installations are scanned (such as improperly stored backups or test installs) may impact this timeline, as internal scans take longer when there are additional website files being scanned. These additional website installations may be present without your knowledge (they're typically created by your developer or whomever was hired to build your site originally), but they can lead to your live website being infected, despite taking all the right steps. The SiteLock Security Analyst completing your clean will notify you via the follow-up email if they identify any of these types of website installations, and it's critical that they're addressed (either with SiteLock services being added to secure them, or if they're defunct or not used, they should be fully removed from your hosting account). Failing to do so will often result in re-infection.

What if my website is suspended or blacklisted?

Hosting Suspension - When malware is detected in your hosting account, your host may suspend your account until all malware is removed. SiteLock will clean websites with SiteLock services, as well as any system folders within your hosting account. If there are additional website installations that are infected, these websites will need to be addressed by you. This can be done by adding SiteLock services to them or removing them from the hosting account fully. After the clean has been completed, you will receive an email with timelines and steps needed by you. If we were able to submit a request to your host on your behalf, we advise that it may take up to 48 hours for them to get to the request. Alternatively, you can call your host and advise that your account is now clean and request that they scan it to speed this process up. In some cases, we are not able to communicate with your host, so we will advise you to contact the host and request these next steps.

Blacklisted (Not Suspended) - If your website is blacklisted by Google, we will submit to Google on your behalf to remove the listing. Please note that when we submit your site to Google, we must add ourselves to your Google Webmaster account. If you have an account setup, you may see a user with an @sectigo.com email address validate into your account. This is the SiteLock agent cleaning your website. You can remove the access once you receive the post-clean email. Please note this process can take up to 5 days, per Google. During this time, your website is clean, but Google is still reporting that it's blacklisted. SiteLock cannot speed this process up, as this is entirely on the Google side.

Blacklisted & Suspended - If your website is both blacklisted and suspended, we must resolve the suspension first. Submitting to Google requires web validation that can't occur while your account is suspended. Once your website is back online, you can reach out to SiteLock to request de-blacklisting from Google, or you can submit the request yourself if you have a Google Webmaster account.

Why am I getting multiple system emails during the malware clean process?

During the malware clean process, SiteLock Security Analysts queue multiple internal scans to gather information and clean malware. These scans are tied to scans that will generate system notifications by default. This means that while a SiteLock Security Analyst is working on a malware clean, you may receive multiple system-generated emails. These emails can be disregarded until you receive an email from a SiteLock agent about the details of your manual clean.

Do I need to read the email you send me after the clean?

Yes! The email we send you may be long, but it will include all SiteLock recommendations to combat a malware re-infection. Once the malware is removed from your site, the job is not done. The malware may be gone, but the vulnerability that allowed it to enter in the first place still needs to be addressed. Failure to perform these recommended updates will likely result in re-infection that requires additional malware cleans to be performed.

Please note, in some extreme cases of repeat infection where you're not performing recommended follow-up steps after multiple re-infections, SiteLock may require an action plan prior to performing another repeat clean.

What if my website is broken after the malware clean process?

During the malware clean process, SiteLock's primary goal is to remove all malware from the covered website(s). In some cases, malware has damaged your legitimate website code during the initial attack. The SiteLock SMART File Scan can remove malicious code, but if that malicious code overwrote legitimate code, the legitimate code may need to be replaced to return functionality to your site.

If your website is using a common Content Management System (CMS) like WordPress, we may be able to replace the damaged file with a file from a clean WordPress installation. However, if this option is not available, SiteLock will do it's best to hide any errors on the page, and then advise you that a restore may be needed to restore functionality to the website. SiteLock can clean malware, but we cannot repair custom files damaged by malware.

NOTE: If your website is damaged and a restore is your only option, if you do not have your own backup, we urge you to speak with your web host critically. Typically, hosting companies do not keep backups of websites they host indefinitely, so time is critical. For example, if your web host only keeps backups for 2 weeks, and you do not reach out within those two weeks, you may find that there is not a backup option, and the website (or that particular section of it) will need to be rebuilt.

What is the difference between malware and a vulnerability?

A vulnerability is the entry point, malware is the result.

Malware is code that has been added to your legitimate website code in order to perform actions that typically harm the website reputation or it's visitors. Although the common perception of a vulnerability is vulnerable code (for example, a plugin that has not been updated may have a vulnerability that allows an attacker to add malware code to your website), the most common vulnerabilities are typically behavior-based. Simple passwords. Reused passwords. No password updates. Multiple admin users. No multi-factor authentication enabled.

Why is it important that I know the difference between malware and a vulnerability?

One of the common misconceptions is that having a malware clean performed will resolve all malware and related vulnerability issues that allowed malware to enter the website. This is not the case. While SiteLock Security Analysts should be able to remove all malware code from your website, the original vulnerability that allowed malware to enter in the first place still needs to be addressed.

Let's step out of the world of cyber security for a second. Imagine making the mistake of opening all your doors and windows right before a massive storm. Your home is now dirty, full of all the junk and dirt blown in by the storm. You can hire a team to clean your house, and they'll do a pretty good job of getting it cleaned up and livable again. However, if you keep all the windows and doors open, and then there is a storm again tomorrow, the same thing will happen, because the underlying cause was never corrected.

In the above example, after paying to have a team clean your site, it would make sense that you may pay more attention to future weather and close your doors and windows before a store. The same must be true of your website. If SiteLock completes a malware clean, then makes recommendations on updates that need to happen, it's critical that you perform these updates in a timely manner. Failure to perform recommended steps will typically result in a re-infection, because the original vulnerability is left unresolved.