Categories: Tips

Dealing with DFP Malvertising notifications

malware virus security attack computer bugs attacking flat vector

When Google emails you with the subject line “Open immediately: Malvertising notification” it tends to get your attention. A growing number of publishers have been receiving emails just like that and are not always sure the cause of the urgent notice warning about policy violations.

Any warning of a policy violation by Google ( or DoubleClick ) deserves immediate attention. The good news is that these malvertising notices are generally easy to deal with.

What the Malvertising notices mean

Malware is unwanted software that causes deliberate problems for users, such as spyware and viruses. When this is served via advertising systems it is called Malvertising.  Google tries to prevent the spread of malware in general, and is particularly against their systems being used to promote it.

If you receive a Malvertising notification from DoubleClick it means that your DFP installation has been used to promote malware.  This can happen either because you have served an ad that contains malware or because you served an ad that links to a site distributing malware. It doesn’t mean that your website is compromised.

How you could be distributing malware without knowing it

You could unwittingly serve malvertising if a “bad advertiser” booked an ad with you and used that to either link to a malware site, or even serve bad script as part of the creative. In practice this is rare though. More usually the malware is linked to an ad that is being served by another ad network.

Not all ad networks are as successful at (or as dedicated to) blocking malvertising. Even those that are rigorous in scanning the content of ads may have less control over the contents of the landing pages.  Controlling malware end-to-end is a resource intensive and difficult job and the fact is that some networks have a poor track record with this and frequently let problems through.

What to do if you receive a Malvertising notice

The Malware notifications explain which line item is affected and that line item will be disabled when the notice is sent.  If you are happy not to serve that line item then you simply need to check that the impressions are being picked up by another line. We’d also recommend checking for other line items coming from the same source, but no further action is required to meet policy requirements.

If the notice relates to creatives from an ad network that you want to continue to work with then this is an issue that you need to address with that network to ensure that the ads they serve are not going to result in harm to your users.

How to prevent the problem in the future

The best defence against future Malware notifications is to be selective with the ad partners that you choose to run.  At OKO we reject far more potential partners than we choose to work with and one of the key considerations is the security and protection that the network offer. When you run ads on your site you are trusting the advertisers with your audience and the sad fact is that not every firm offering ads deserves that trust.

Is this Google just trying to control who’s ads I run?

There has been some criticism that Malvertising notifications are being used by Google to “landgrab” inventory. It’s true that they do benefit:  By pausing line items that serve competitors, Google will often pick up the extra impressions in DFP so earn more. They are however only pausing line items that have potentially put users at risk. Most publishers wouldn’t want to be seen to be serving Malvertising to their users, so it is not surprising that Google also take steps to stop malvertising being served through their platform.

Malvertising and trust in ads is a common reason why users turn to using ad blockers.  Tackling these issues is important to ensure trust in ad supported websites.

An example Malvertising notification


Our system has detected activity which may violate Google policies in one or more of your DoubleClick for Publishers line items. The reasons are listed below:

To ensure the safety and security of our users, we’ve disapproved your ad because we’ve determined that your ad hosts or distributes malicious software.

Although certain bad advertisers may intentionally distribute malicious software, there are many cases where the webmaster or advertiser is unaware of the dangerous link because:

1) The ad was compromised.
2) The ad doesn’t monitor for malicious user-contributed content.
3) The ad displays content from an ad network that has an advertiser distributing malicious software.

Google uses its own criteria, procedures, and tools to identify and disable ads that distribute malware. To run your ad, follow these instructions to check your computer for malware, remove all malicious code from your ad, and submit your ads for review:


As a result, the following creatives have been disabled:

Order: [xxxxxxxxxxxxxxx]
Line Item: [xxxxxxxxxxxxxxx]
Creative: [xxxxxxxxxxxxxxx]
Advertiser: [xxxxxxxxxxxxxxx]

The affected line items will remain disabled until the creatives have been cleared by our system. If the line items or creatives haven’t been disabled, please disable them immediately. Follow up with the third party that provided you with the creative code to let them know that we’ve detected a problem. Once they’ve corrected the problem, DFP will detect that the creatives are safe and send you an email to let you know that you can re-enable the creatives and line items.

The DoubleClick Team

Mat Bennett :