Google does not eradicate the malware or scareware from compromised computers, but only warns users that their machine is infected. People must run a legitimate antivirus program to detect and delete the threats, a point that security vendors were quick to make.
"Users still need to have an antivirus tool to clean their box and/or prevent becoming infected in the first place," said Adam Wosotowsky, a senior research analyst with McAfee Labs, in an email reply to questions today.
Menscher also responded to users' concerns that Google's warning was exactly the same ploy that malware makers count on to dupe people into downloading attack code or scareware.
"We thought about this, too, which is why the notice appears only at the top of our search results page," said Menscher. "Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users."
Ironically, Google also noted on its help page that searching for "antivirus" could produce links to scareware downloads. "If you prefer to find your own, be wary of fake antivirus software that may actually be malicious," the company warned.
Google's warning, and the way it alerted users, prompted some security experts to criticize the company.
"Google's saying that a fake message could only appear on machines that were already infected," said Thakur. "But [its own message] is for people who are infected. That seems to be negating their own message."
John Pescatore, an analyst with Gartner who covers security, brought up another concern. "I'm a bit worried because of the 'how to fix this' link Google has put in there," said Pescatore. "There are definitely scenarios [where] malware writers will take advantage of this."
Thakur agreed. "[Hackers] could easily adopt that same tactic," Thakur said.
He also expects criminals to quickly come up with a counter move.
"Smarter malware authors will be able to circumvent this very easily, so it's not an absolute answer," said Thakur. "For example, they could change the proxies to ones that Google doesn't know about."
Jaikumar Vijayan contributed to this report.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers, and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org. Read more about security in Computerworld's Security Topic Center.