The Channel logo


By | John Leyden 1st August 2008 10:02

McAfee: Why we blacklisted SANS

False positives almost unknown, claims SiteAdviser boss

Analysis McAfee's SiteAdvisor security tool briefly blacklisted the respected SANS Institute on Wednesday. The incident highlights wider concerns about the reliability of the safe surfing tool.

Websites including the main website, as well as related sites and sites, were tagged as bad and given a red flag. The classification arose because newsletters held on the main SANS site pointed to exploit samples on third-party web sites.

While the classification was therefore not completely unreasonable, giving one of the most respected information websites on the net the same rating as, for example, a phishing or malware serving website is more than a little rum.

The problem was rapidly sorted out after the SANS Institute got in touch with McAfee, in line with the security firm's promise to respond to concerns about classification (though not necessarily to make changes) within 24 hours.

Ernst & Young security advisor and security blogger Nathan McFeters is caustic about McAfee's classification, arguing that McAfee ought to know better than red-flagging the home of the Internet Storm Center. McFeters, not McAfee directly, was responsible for alerting Internet Storm Centre staffers about the classification.

Take this on advisement

McAfee SiteAdvisor runs a set of automated tools which browse sites, download files, and enter information on sign-up forms in order to warn users if sites either present a malware risk or are sending out spam. The service is available as a browser plug-in as well as through a deal with Yahoo! to include SiteAdvisor ratings within search results.

SiteAdvisor maintains an index of 21 million of the most popular websites, according to Tim Dowling, global VP of web security for McAfee. We spoke to Dowling on Tuesday about SiteAdvisor to determine why it took more than a week to change a negative classification of UK software review site earlier this month.

Written statements from McAfee in response to our queries were a bit ambiguous, but Dowling stated that the initial malign classification of was correct. The site was only given the all clear after scheduled repeat tests came back clean. It was the need to reschedule a test that meant the whole business took time to sort out. McAfee SiteAdvisor aims to retest popular sites about once a week but it may take up to a month for it to return and test less high-profile ones.

Julian Moss, managing director of, is adamant that SiteAdvisor's classification was wrong. McAfee took exception to a free trial download of a reputable anti-spyware product, which 32 out of 33 scanners at VirusTotal (with McAfee being the exception) said were clean.

The incident with, along with scattered reports of earlier false positives, raises questions about the reliability of SiteAdvisor classifications. "Our tests are very accurate," Dowling said. "The frequency of false positives is fewer than one a month. Changes in classifications we make are almost always because sites have changed their behaviour.

"The email tests are the ones than have the most false positives. Users can have confidence in our ratings."

Adware numbers gamers

Many recent surveys - by vendors including Sophos, Websense and IBM X-Force - have pointed to the planting of malicious scripts on legitimate websites (typically using SQL injection attacks) as a growing risk. Dowling however suggested that a majority of sites given the red flag by SiteAdvisor have deliberately done something bad or at least stupid.

"Website owners sometimes mistakenly link to wrong site, which creates a guilt by association. Others are attempting to game the system by linking to adware, which can be used to boost search engine ratings," he explained.

McAfee is yet to get back to us with stats to back up these observations, which run contrary to prevailing industry wisdom.

Legal beagle

In response to our earlier story about SiteAdvisor, some respondents said that false warnings that their sites were either harbouring malware or sending out spam were only addressed after hints at legal action were made. Dowling said getting lawyers involved was unnecessary.

"If a site owner comes to us with a complaint we'll take a look at the rating. We endeavour to respond to people within 24 hours," he explained.

Anyone disagreeing with the rating of a particular site is invited to notify McAfee here.

Website owners who've had problems with SiteAdvisor classifications are invited to email El Reg (Oi, SiteAdvisor. No!). ®

comment icon Read 13 comments on this article alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe