Protection Against Malware and Ransomware
Blocklists for the Security Community Since 2005
We offer non-commercial blocklists in formats compatible with several of the most commonly used DNS, firewall, IPS/IDS and AV tools, such as SpamAssassin, ClamAV, and SquidGuard, among others. These lists include verified data for active malware and ransomware.
Check out our configuration guides and tech support options here.
Participate and Protect Others
The Malware Patrol project began over 15 years ago as a group sharing malicious URLs. This community, more active than ever, continues to collect, analyze, and monitor malware. We gladly provide a platform and resources to facilitate the collection and distribution of our community’s data because we believe that information sharing is one of the most effective ways to fight cyber threats.
Send your suspicious emails and URLs to firstname.lastname@example.org or set up a spam trap. All submissions are verified hourly and any new malicious URLs will be immediately added. A single submission could help protect thousands of users.
Want a Free Subscription?
We offer free lifetime Basic Defense blocklist subscriptions (valued at $40/year) to the following:
- Educational organizations: For security teams, not students, to protect your organization’s networks and users. Request here.
- Regular contributors: Forward your suspicious emails to us regularly or set up a spam trap and you can have free data.
- Configuration guide authors: Write instructions for a tool/system/platform that we do not already have and submit to us.
A commercial license is required if you use our data to protect your customers.
Block List Subscription Options
Includes the last 7 days of malware URLs from our database, updated EVERY 72 HOURS. Available in the formats listed below. This data is for non-commercial use by any individual, group or organization.
Includes the last 15 days of malware URLs from our database, updated EVERY 4 HOURS. Non-commercial use only. The subscription fees help us maintain our infrastructure. Options listed below.
- MALWARE URL BLOCKLIST FORMATS +ClamAV Virus DB +Firekeeper 0.2.9 or newer +Hermes SEG +MailWasher +Mozilla Firefox AdBlock +SpamAssassin FEATURES +Non-commercial use only +Instant access +Automatically downloadable (via scripts) +Malware Patrol download script available +Password-protected login MD5 hashes (to verify download integrity)
- MALWARE URL BLOCKLIST FORMATS
- ClamAV Virus DB
- Firekeeper 0.2.9 (or newer)
- Hermes SEG
- Hosts file – 127.0.0.1
- Hosts file – 127.0.0.3
- Hosts file – 0.0.0.0
- Hosts file – MacOS pre OS-X
- Mozilla Cookie Filtering
- Mozilla Firefox AdBlock
- Postfix MTA
- Squid Web Proxy ACL
- Non-commercial use only
- Monthly OR annual subscription
- Instant access
- Automatically downloadable (via scripts)
- Malware Patrol download script available
- Password-protected login
- MD5 hashes (to verify download integrity)
Our lists include what we call “MBL ID”, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the “MBL_ID” helps us organize and debug the large amount of data in our lists.
The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there are multiple malware samples hosted in a website’s directory. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example.
False positives / whitelisting domains
The quality of our data is very important to us. We ask that you send reports of false positives to fp (@) malwarepatrol.net. We will investigate promptly, update our database (if necessary), and let you know the results.
Please read this before submitting a report:
We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of block lists to affect (block) the entire domain.
We understand that it is not always possible to block very popular websites. To help our customers in this situation, we modified our download script to allow for domain exclusions. These will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like ‘cat _filename_ | grep -v _domain_ > _new_file_name_’ can remove entries.
For help automating the removal of domains from block lists, contact our tech support via email: support (@) malwarepatrol.net – and they will be happy to help. Please remember to mention the blocklist you use and how you download it.
How can I automate data downloads?
There are multiple ways to automate the download and ingestion of our data feeds. Specifics depend on your operating system, environment and use of the data. As most of our customers utilize the data in *nix environments, the common tools used for automation are ‘wget’ and ‘curl’. A basic ‘wget’ command to download a block list looks like the following:
wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_COPIED_FROM_YOUR_CUSTOMER_PORTAL_’
The download and ingestion of the data by whatever software you use also require the operating system to frequently perform these tasks. For that, ‘cron’ is the choice of most of our customers.
Error message while downloading data
# Your access was denied.
# You may have supplied a wrong password, your subscription may have expired or you may not have access to this resource.
The most likely cause of your problem is that you are running wget in a Linux shell and did no enclose the URL in single or double quotes. Therefore, the shell understands the ampersand (&) sign as an indication that part of the command should be sent to the background and the URL is broken.
Try the following command instead, for example, to download a ClamAV block list:
wget –no-check-certificate -O /var/lib/clamav/malwarepatrol.db ‘https://lists.malwarepatrol.net/cgi/getfile?receipt=_receipt_number_&product=_product_id_&list=clamav_ext’
Accessing blocklist from multiple IPs
There are no restrictions in the number of IP addresses from which you can download the block lists.
Do you provide invoices?
We cannot provide invoices for Basic Defense subscriptions. Contact your account manager or support (@) malwarepatrol.net for Business Protect and Enterprise subscription invoices.