The Most Effective Approach to Stop Malvertising: Using Behavioral Analysis to Improve Advertising Security

by Kathy Knott, on Jul 8, 2020 2:15:00 AM

In general, there are three different categories of tools used to fight malvertising for publishers and platforms. This article will help you understand the differences of each type of approach, how they work, as well when they work to combat malvertising. In general, solutions fall into two major categories:

  1. Pre-Scanning Tools
    1. Creative scanning tools
  2. Real-Time Solutions
    1. Blocklist tools
    2. Behavioral analysis tools

-- Article Continues Below --

New call-to-action

Visit the Complete Malvertising Resource Center

Timeline of a Malicious Ad

Before diving into how each of these tools works, it is important to understand when each of them works during the process of serving ads.

The infographic below demonstrates the steps a malicious actor goes through, and where the tools that are used to fight malicious actors inject themselves into the process. This article offers a full breakdown of each step in more detail. timeline

Traditional Approaches to Stop Malvertising

The adtech industry has traditionally used the first two methods for attacking the problem (scanning tools and block list tools).

Malvertising Tool #1: Malware Scanning Tools

Scanning tools are used to pre-scan ad creative before for malware before serving the ad to users. Scanners seek to simulate the ad being shown to a user in an attempt to trick the malicious code to produce the malicious activity, before allowing that ad to be shown to real users.

Detection avoidance techniques:

  • Fingerprinting: Bad actors build malware that contains specific methods to combat detection inside of a scanning or sandbox environment. If the code detects that it is in such an environment, it will hide or choose not to display any malicious activity and show only a “safe” ad. Only once the code detects that it is in a real environment, and being shown to a real user will it deliver the malicious payload. Effectively this makes the ad look safe to scanners, but still malicious for users.
  • Misusing platform targeting options: Bad actors can use some of the legitimate ad targeting options available on the platform to show different variations of an ad. They can combine targeting options that are more likely to be in a scanning environment and show a clean or safe ad, and then show the malicious ad in other target segments that are more likely to be real user environments.

Scanning Environment vs. Execution Environment: Because scanners are creating sandbox environments, and not running in real environments, malicious code is able recognize and show a different face to each environment, allowing bad ads to be shown to users.

False positives & negatives: Scanning tools have risks for both false negatives and positives. In an attempt to be conservative, they may label ads that were actually good, clean ads as malicious, preventing you from generating revenue on those ads. They also run the risk of missing malicious ads and letting them through to users.

Read the Case Study

How cleanAD Completely Eliminated Malicious Redirects, Freeing up 60 Hours of AdOps Efforts per Week, for Venatus Media

Read the Case Study

Malvertising Tool #2: Real-Time Blocklist Tools

Blocklist tools will compare the URL, creative or snippet used in an ad to a list of “known bad” URLs, creative, or snippets to try and catch malicious actors that have previously been identified.

As the website page, platform, or application loads content, blockist tools will check all ad creative that is supposed to display, and compare it against a list of known malicious bad actors to then prevent creative from loading (if the bad actor matches a previous known attack).

Requires known bad behavior: In order for a solution like this to work, it requires the bad actor to have already successfully executed a malvertising campaign at that specific URL and had that URL added to a blocklist. In short, this means that a subset of end users will be impacted by the malicious activity before it is stopped.

Unable to catch “novel” attacks: Because tools like this require previously known behavior from a specific URL, they are likely unable to catch novel attack types that they haven’t seen before.

Detection avoidance techniques: Bad actors can rotate the domains from which they execute their malicious campaigns, obscure the domain they are executing from or utilize targeted bypassing techniques to trick block lists.

Impact user performance: Because the ad creative has to be checked against a very large list of known bad URLs every time content is loaded on the page, it can incur latency which affects the speed at which the user sees content on the page.

False positives & negatives: Real-Time Blocklist tools have a higher risk of false negatives, allowing malicious ads to be shown to users when they can’t catch them. In order for these tools to work, they either have to make the block list very specific to make sure you can catch each bad actor, but that doesn’t work well at scale. To scale, they have to make the list broad, but then you run the risk of accidentally catching clean ads in your net.

Using Behavioral Analysis to Change the Game

Malvertising Tool #3: CleanAD

CleanAD is one of the only tools on the market today that uses behavioral analysis to detect and stop malvertising.

We use the very behavior of malicious code against malvertisers to catch them in real-time while they are trying to serve malicious activity to real users.

Instead of running in a sandbox environment, cleanAD runs right on the page in the browsers or applications where real users are viewing ads. We look for behavioral patterns that indicate malicious activity, watch the execution of the code, and wait for the trigger of actual malicious activity to block the ad from displaying to users.

This means that:

  • Bad actors have already paid for their ads, and you have collected revenue.
  • Users won’t experience the malicious portion of bad ads.
  • You can be sure malicious activity was actually going to occur.

You don’t have to take our word for it. Recently on Reddit, a user asked members of the adops group for feedback on their experience with cleanAD.

Here was one user’s feedback on how our platform works differently:

“We are working with them as well and they are the best in their field.

Unlike other companies that are managing endless lists of BL and WL they came from cyber security field, they identify in real-time a JS that acting in a cretin behavior before hijacking a page and disable it. so the at the end the creative is being served you get paid and the malicious ad is being disabled”



cleanAD is able to catch malicious code by watching for certain behaviors like:

  • How code loads: We can look at how many stages there are to ad payloads if they are using iframes or are nested within scripts.
  • Fingerprinting traits: We can look for key behaviors that malvertisers use to try and detect when they are in a scanning environment. Thus far we’ve encountered hundreds of different methods bad actors use to detect and bypass scanners.
  • Malicious activity triggers: We can watch for (and wait for) the trigger of actual malicious activity like redirecting a user through no action of their own.

Some of the benefits of a behavioral analysis approach include:

  • More effective blocking of malicious ads: Because we aren’t relying on knowing previous bad actors or creating a separate environment for detecting malicious activity, but detecting in real-time, behavioral analysis tools are more effective at catching malicious advertising and preventing users from being affected.
  • Revenue is preserved: CleanAD is the only tool that catches bad actors after they have already paid you, preserving your revenue and ultimately discouraging bad actors from attacking your site in the long term (as it is unprofitable for them to do so).
  • Fewer false positives: Because we wait and block malicious code only when it begins to trigger, there is a lower risk of false positives.
  • No impact on speed or performance: Our software runs in real-time, and doesn’t rely on searching a large block list so there are no impacts on speed for the user.
  • Able to detect “novel” threats: Because we are watching behavior, and looking for malicious activity triggers, we are able to catch threats we have never seen before they display to users.
  • Full forensic details: We can provide a full “smoking gun” forensic report of the activity of every malicious attack attempt.

Another user’s response to the Reddit thread details some of these benefits from their own perspective:

“they’re just one of the few companies I’ve worked with that do what they say.

haven’t thought about redirects for two years. after having spent the previous four years knee-deep in Charles sessions trying to figure out who the hell was to blame… they’ve been great.”


One of the most impactful benefits that have become apparent to users is the amount of time that is freed up for the ad operations team. Instead of spending all of their time chasing down redirects, they are now free to focus on more strategic activities.

Some of the other user responses to the Reddit thread, articulate this benefit:

“great support and they do what they promise. we don’t get reports of re-directs using them and it was a nightmare for the 5 years before that trying to manually police bad buyers and manage angry users. highly recommended.”


“you can actually set it and forget it, they actually do what they promise”


Read the Guide

Malvertising: What You Need to Know to Prevent It

Malvertising prevention is essential for any publisher with an expansive online presence, and shoring up your lines of defense is a worthwhile investment.

Read the Guide


Final Thoughts

While it may sound too good to be true, we promise it isn’t. And we are willing to stand behind that promise.

You can try the platform completely free for 14 days and see for yourself just how powerful it is.

Come see what all the fuss is about:

“We have worked with them , actually still working with them. By far best out of all of them. We tried Confiant, Adlighting and they were okay but CleanIO best”


And ask yourself, what could you do if you didn’t have to spend all your time chasing redirects?

Try cleanAD free for 14-days to see why major publishers trust our platform as the simplest, smartest, and most effective anti-malvertising solution available.

The Complete Guide to Malvertising


Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates