views:

700

answers:

4
+2  Q: 

404 Hijacking

Certain malware such as AVG hijack 404 pages in order to display a page in the browser riddled with their own ads. The only work around I've found is to abandon 404 http status codes for custom error pages in my webapp.

Is there any other work around?

Edit:

Anybody know of any other toolbars/programs that also hijack 404 pages without checking whether they are generic error pages or not?

Is there a way to detect the presence of AVG from the query string or otherwise? (I assume not)

I've created a petition to AVG on this.

+3  A: 

When you describe AVG as "malware" are you refering to the antivirus software?

I do not think malware means what you think it means.

Aside from abandoning the 404 code I doubt there is much you can do, as the client is free to do whatever it wan't with your 404.

I had a firefox plugin that checked the internet archive for an archived version of any 404 page I encountered.

If its not 404 then don't tell me it's 404 and I wont treat it like it's a 404...

Omar Kooheji
Yes, I understand what malware means, and believe that it applies to a program (AVG) that injects it's own ads into another program (your browser), with little (if any) attribution as to the origin of the page.
EoghanM
I'm not an AVG user, so I've never seen it. However, any software that hijacks the return codes is malware in my book.
Brian Knoblauch
@Brian, I think Omar's example shows your statement to be clearly untrue (Although, I suppose it *handles* rather than *hijacks* the 404 ;-).
Aaron Maenpaa
+15  A: 

It’s not your fault and it’s certainly not your responsibility. Keep the HTTP status codes, they are useful. If some of your users decide to install a browser plugin which handles 404 status codes, don't try to work around it.

There is a Google Webmaster Central Blog post about this topic:

[...] are confusing for users, and furthermore search engines may spend much of their time crawling and indexing non-existent, often duplicative URLs on your site. This can negatively impact your site's crawl coverage - because of the time Googlebot spends on non-existent pages, your unique URLs may not be discovered as quickly or visited as frequently.

xsl
Hmmm, I'd like to accept your answer and 'do the right thing', but the user in question had no idea that installing an anti-virus package would affect the browser, and clearly believed it was a problem with my site.
EoghanM
You could place a note on your 404 error page, which explains this issue.
xsl
EoghanM
+3  A: 

Yes, the protection racket that is Antivirus software highjacks 404 pages. That's not a reason to abandon the status code, though. Let the user suffer until he learns.

Some software, such as google's chrome only highjack the 404 pages if they are under a certain size, so make sure to create a somewhat meaning- and helpful error page.

MattW.
I believe I read that Chrome actually looks for the generic ones issued by servers (IIS, Apache, etc) that are among the more technical and only change those to more consumer friendly errors. I'm not sure that it's just size, though.
Thomas Owens
"Let the user suffer until he learns." is not acceptable from a usability perspective, and certainly sounds inhumane. While I agree with the sentiment, it does not solve the problem of displaying the page correctly to all users, no matter how naive.
EoghanM
A: 

i dont even have the dang toolbar installed and it still hijacks it :( how do i control this

I don't think the setting is in the toolbar - I think it is buried somewhere in the program.
EoghanM