By Jeff Lukey

As part of their never ending quest to continuously improve their free to use Tag Management Solution (TMS), Google have now introduced automatic malware detection to Google Tag Manager (GTM). This new feature will warm the hearts of IT security personnel and add an additional layer of confidence for enterprise level clients looking to use the tool.

Back to blog home

Updated 26-Jan-16: Additional content and detail added.

What is malware and why does it need detecting?

Quoting Wikipedia:

'Malware' is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software.

Having such content on a site is obviously highly undesirable and will greatly affect a user’s trust and their likelihood to return. Consequently, the ability to automatically detect and block malware mitigates a notable risk to site performance.

Why is this applicable to GTM?

GTM has the capability to add HTML tags and JavaScript to web pages, both of which can make reference to (or even be) malware. To mitigate this risk, GTM has several features such as 2-step verification and whitelisting/blacklisting that either add additional security with regards who can edit high risk features or block particular types of tags from being added to a site entirely.

However, despite GTM having an ever expanding library of template tags, it is likely that at least some third party tags will need to be deployed using the higher risk custom HTML tag type or custom JavaScript variables may be required to temporarily plug a dataLayer gap.

But GTM is a controlled access system, surely no one would knowingly add malware tags to their own site?

This is a valid point and it is highly unlikely that anyone would intentionally add malware to their own site. However, since the majority of tracking tags reference third party code, it is possible to unwittingly transmit malware from third party libraries. The third party (network) provider would be unaware of the issue at the point the tagging code was provided, with the malware unknowingly infecting the provider when they subsequently switched a script library or template. Once in the third party’s network, the malware can then potentially transfer across to sites using the network’s code creating a hidden security risk.

Note that this risk is not inherently linked to TMSs and would still be present if the tag was hard coded. In fact, the new feature added to GTM now helps to identify and block these hidden threats which may otherwise go undetected.

How does GTM malware detection work and what does it do?

Malware detection launched on 21st January 2016. Since that time, GTM has been automatically scanning GTM containers for malware. GTM scans against a constantly updated list of suspected phishing and malware pages that is based on the Safe Browsing system and augmented with its own private systems. The addition of these private systems mean that there is potential for GTM to pick up malware content even when it is not flagged by the Safe Browsing list.

GTM scans all assets that have a high potential for abuse. This includes custom tags, variables and even triggers and template tags.

What happens if malware is detected?

Several things will happen immediately at the point malware is detected:

  • An email will be sent to users of the implicated container warning them of the issue. This email will go to all users who have access to that specific container, regardless of their permission level. It will look something like this (note these are dummy images):
example gtm malware alert email
  • A notification alert will appear within the GTM container interface:
example gtm malware interface alert
  • Any implicated assets will be blocked i.e. tags will act as though no triggers have been applied, variables will return undefined and triggers will cease to trigger.

Whilst only implicated assets will be blocked, there may be a knock-on impact on other content as detailed above. Additionally, blocked tags used within tag sequencing will be treated as a failed tag.

Awesome, so no further action is needed, right?

Wrong! Google still expects you to act on their notifications and implement a more permanent fix for the container. This fix should include the following steps:

  • Remove all triggers from malware-affected tags
  • Remove those tags from any tag sequencing
  • Delete/fix implicated triggers and variables
  • Test and publish the new container version including these fixes

Once these steps have been completed Google will then automatically re-scan the container to check the malware issues have been resolved.

What will happen if these steps are not completed?

If the original notification email goes unanswered, Google will send another email. This email will go to all users with access to the GTM account that the container sits within. If that follow-up email is not actioned within 1-2 business days, Google reserve the right to lock down the account, meaning that everyone’s access will be reduced to read-only until the issue is resolved. In most instances, Google will also lock down an account if an implicated tag is re-enabled.

Fear not, however, as Google will give access to the account back almost immediately once lines of communication have been re-established.

In summary

Malware detection is another great feature within GTM and should receive a warm welcome from the tagging community. Whilst tag blocking does occur automatically, it is important to understand that this should be considered a temporary solution and to ensure that Google’s notifications are acted upon diligently and in a timely manner. For this reason it is recommended that at least one of the users on the GTM account has a Google account that uses an email that is monitored daily.

For more information on GTM malware detection, you can visit Google’s own help page here.

Share this article