We recently had a client that was a victim of an attack and, as a result, all of the ads leading to the client’s site were disapproved with the “Malicious or Unwanted Software” status. This was the first time that I’ve encountered this issue in recent years, and after extensive research it appears that countless advertisers have trouble rectifying the issue. So I’m putting together a step-by-step guide to getting your campaigns running again.
Very important note: this assumes that you’ve managed to clean up the malicious software itself. I’m not an expert on security or hosting, so I can’t help much with this. Once your site is clean then you’re ready to start working to get the issue resolved with the Google Ads team.
Step 1: Open communication with the Google Ads support team.
You will want to establish a communication thread with the Google Ads support team so that you can track all of the communications and keep everything organized. I recommend calling the support team first.
When you get a support rep on the line you’ll want to tell them that you need help getting your ads reactivated after getting the “malicious links” disapproval. Specifically, you’ll want to ask them to scan the site again.
Once they scan the site you’ll get one of two responses: either the site will be clean and you’ll be able to restart your campaigns (yay!) or they will send you a list of links they still have problems with. They will send you an email with the list of links that need to be reviewed.
Step 2: You’ll Get an Email With Suspicious Links
The actual links that are sent in the email don’t really matter that much. If you’re site was compromised then it’s possible you’ll see all kinds of links in the email that don’t necessarily make sense, such as js file, image files, etc.
Again, the important part is the line of communication here, not necessarily the specifics. Notice the last part of the email, after the list of links.
They tell you specifically what needs to happen next, and it’s not intuitive.
Step 3: Clean Up Errors in Google Search Console
Google Ads apparently uses Google Search Console (formerly Google Webmaster Tools) as its basis for site security information. If you have a Google Search Console profile created for your domain (and hopefully you do, it’s crucial for SEO) then you can log in there.
On the dashboard in GSC you should immediately see a security warning. If not, click on Security and Manual Actions and then Security Issues.
Click on the warning message to get more information. You should see a button for “Request Review” or something similar. Once you’re confident that the site has been corrected and is completely clean then go ahead and request the review.
You should get an email when the review is completed and the warning message in GSC will go away. In my case this review took less than 24 hours, even though it was a weekend.
Step 4: Screenshots
We’re going to gather some evidence to submit to Google that the domain is clean and ready to be reactivated.
First, take a screenshot of the Security Issues page in Google Search Console showing that the domain is now clean. Make sure that you include the domain name in the screenshot.
Next, we need to take a screenshot of a security scan from a third-party website. I chose to use Sucuri because it’s well-known in the security industry. Run the security scan on your domain and make sure everything looks good. In my case, the results screen was too long for a screenshot to capture everything, so I used a Chrome extension called Full Page Screen Capture to export the page as a pdf.
Step 5: Contact Google Again
Reply back to the email you received from Google and include the screenshots. Tell them that the site is clean and you’re requesting that they review everything again. This can take some time, so be patient. In my case it took over 24 hours for the ads to start running again.
I noticed that the ads were approved and running again before I ever got a reply from Google, so keep watching the account.
If you don’t see the ads running or get a reply from the support team after 36 hours or so then you should call them again. Tell them that you’ve submitted evidence and that Google Search Console is clean. The phone support reps may be able to expedite things.
Conclusion
That’s it. Hopefully these steps will allow you to get your ads running again as quickly and painlessly as possible. Feel free to comment below if you have any questions or advice that I didn’t mention in the article.
Jim, You have provided an excellent guide here. These are all the steps which one needs to remove the issue. I have also written a guide which can be seen here on the same issue: https://fixmysitepro.com/case-study-fixing-google-ads-malicious-or-unwanted-software-issue/
Thank you so much for contributing to this solution to help fix error.