Gravityscan Blog

Updates on website security and what's going on in our universe.

How We Constantly Validate and Improve Gravityscan’s Accuracy

This entry was posted in Gravityscan on Jun 8, 2017 by Andie La-Rosa 2 Replies

Gravityscan adds a powerful layer of security for websites by identifying any potential vulnerabilities, exploits or security issues on your site. The quality and caliber of these scan results depend heavily on the up-to-date accuracy of the data that we use to compare your site’s files and configuration against, so we thought we’d give you a behind-the-scenes look at all the different methods we use to constantly validate and improve Gravityscan’s accuracy.

Quality Third-party Blacklists

New security intelligence comes from a broad variety of sources, the great bulk of which is manual labor – research and development – by our security analysts. However, we also rely on a variety of reliable and industry-trusted third-party blacklists. The Gravityscan team adds new blacklists fairly regularly to help us aggregate the best and latest security intelligence into each and every scan. This isn’t a set-it-and-forget-it process, either; we’re continually evaluating the quality of each blacklist we select as a data source for our scans.

And though we have a robust set of criteria for selecting blacklists to use as resources for Gravityscan to ensure that we select only the best curated lists, the quality of its information isn’t the only measure with which we evaluate the potential inclusion of a list. For example, our scans won’t include blacklists that don’t have a removal process or no contact information, because our customers can’t work to get their sites removed from those lists.

Carefully Curated In-house Domain Blacklists

Our in-house domain blacklist is a list of sites that we continuously update as we discover spam sites in the wild.

It’s actually relatively difficult for a domain to end up on our in-house domain blacklist! It’s a multi-step process that ultimately ensures that only legitimately compromised website domains get blacklisted.

First, we look for attempts to upload spam strings to sites, and look for any factors on that site redirecting users to spam sites. Next, we search for keywords of known spam content and filter out that data. Then we grab the domain names and run those through a few more filters until it’s finally added to the domain blacklist. If Gravityscan finds a link to any of those domains on your site, it’s safe to assume that something is probably wrong, probably something injected into your database.

Finely Honed Malware Detection

We know firsthand that malware changes a lot. Many other web-based malware scanners don’t use custom-developed malware signatures to detect potential issues on your site. They just look for spammy keywords or lean on third-party sources for lists of known malicious functions, which leaves a lot of room for false negatives. In contrast, our increasingly vast repository of malware signatures is custom-developed just for our suite of security tools.

Our developers rely heavily on Wordfence site cleanings for starting on the development of any new malware signatures. As our team of professionals inspects and cleans hacked websites, they get access to massive amount of data to sort through continually. As they clean each site, they compare the security compromises they find against the malware signatures we already have. Any potential instance of malware that we don’t currently detect that’s found on the site gets analyzed thoroughly to ensure it’s truly malicious. Once we’ve confirmed it’s truly new malware that we’re not currently detecting, our development team writes a signature for it. That signature then goes through a rigorous QA process, and then finally gets put into production.

Comparing Against the Competition

The Wordfence Security Services Team (SST) that cleans hacked websites for our customers actively use Gravityscan throughout the process in conjunction with the rest of our team. When a new site cleaning request comes in, they first run a Gravityscan remote scan as a baseline for what the scanner detects. Next, they install the Gravityscan accelerator and run the scan a second time. Before starting the site cleaning, the SST reports their findings of malware to the Gravityscan team so that signatures can be written that will detect any newly discovered malware going forward.

We then use proprietary tools to run a series of tests on the hacked site to analyze and repair the site. The site cleaning process runs numerous tests of up-and-coming signatures, compares the various scan results and reports back to the Gravityscan team anything that doesn’t match, so that we can get the new data into the system as quickly as possible.

The Significant Role of Customer Feedback

Gravityscan Pro users get the full experience of best-in-class customer support. We investigate every major issue from start to finish, and work diligently to resolve each customer’s question or issue as soon as possible, dealing with anything from false positives, usability improvement suggestions, and incompatibility with various server setups and software. Gravityscan Pro support is also happy to help explain any confusing or unclear scan result, to help shed light on any warnings about site compromises, and fix any bugs. We’re committed to guiding each Gravityscan Pro customer through the process to their complete satisfaction, and in that process, we learn a lot about our own product, too.

Gravityscan Pro users get one-on-one support, but free users can also participate and get help through our community feedback channel. We read every single piece of feedback that we get anywhere on the Internet (that we can see, of course!) and we sift through each of them and classify them, add them to existing bug reports, catalog false positives and incorporate feature requests.

One thing that we think makes Gravityscan’s support exceptional is that our support staff is entirely comprised of highly technically skilled people. In many software companies, support staff and QA and product management staff are all separate and distinct departments, but we’re still small enough that there’s a lot of overlap between support and QA/development. We see this as a huge benefit to customers, as it makes integrating customer feedback much more efficient because we’re all technically skilled enough to make good judgment calls about the information our customers pass on to us. Developers work on the most severe issues first, judging by how many customers are affected and how badly the issue impacts the usefulness of the product, leaving no stone unturned.

Conclusion

We rely on a common-sense comprehensive approach to make Gravityscan better every day, employing a truly collaborative development process that puts the full plurality of our expertise to the best possible use. The end result is continuous quality assurance, upgrading and improving Gravityscan’s accuracy with each piece of feedback.

Did you enjoy this post? Share it!


2 Replies on "How We Constantly Validate and Improve Gravityscan’s Accuracy"

Sean Sullivan June 27, 2017 at 8:38 pmReply

Loving the look and the feel of Gravityscan. I have a question as to why all WordPress Plugins are not being identified?

Andie La-Rosa July 6, 2017 at 1:34 pmReply

Thanks for the kind words, Sean. The scan doesn't identify WordPress plugins, only malware, vulnerabilities and other potential security risks. Hope that makes sense!

You must be a Gravityscan user to join the discussion. Register now or sign in if you already have an account.