Protection Against Malware and Ransomware

Blocklists for the Security Community Since 2005

We offer non-commercial blocklists in formats compatible with several of the most commonly used DNS, firewall, IPS/IDS and AV tools, such as SpamAssassin, ClamAV, and SquidGuard, among others. These lists include verified data for active malware and ransomware.

non-commercial subscription

Check out our configuration guides and tech support options here.


Participate and Protect Others

The Malware Patrol project began over 15 years ago as a group sharing malicious URLs. This community, more active than ever, continues to collect, analyze, and monitor malware. We gladly provide a platform and resources to facilitate the collection and distribution of our community’s data because we believe that information sharing is one of the most effective ways to fight cyber threats.

Send your suspicious emails and URLs to or set up a spam trap. All submissions are verified hourly and any new malicious URLs will be immediately added. A single submission could help protect thousands of users.


Want a Free Subscription?

We offer free lifetime Basic Defense blocklist subscriptions (valued at $40/year) to the following:

    1. Educational organizations: For security teams (sorry, not students or researchers!) to protect your organization’s networks and users. Request here.
    2. Configuration guide authors: Write instructions for a tool/system/platform that not already listed on this page and submit to us.


A commercial license is required if you use our data to protect your customers.

Block List Subscription Options 

Free Guard

Includes the last 7 days of malware URLs from our database, updated EVERY 72 HOURS. Available in the formats listed below. This data is for non-commercial use by any individual, group or organization.

Basic Defense

Includes the last 15 days of malware URLs from our database, updated EVERY 4 HOURS. Non-commercial use only. The subscription fees help us maintain our infrastructure. Options listed below.

Educational Organizations

Educational organizations and regular contributors qualify for free subscriptions to our Basic Defense Block Lists for the protection of their internal users and networks. Request your account here.

Blocklist Formats

Free Guard

Basic Defense

Updated every 72 hours Updated every 4 hours
ClamAV Virus DB
Mozilla FirefoX AdBlock
Firekeeper 0.2.9 (or newer)
Hermes SEG
Hosts file – X
Hosts file – X
Hosts file – X
Hosts file – MacOS pre OS-X X
Mozilla Cookie Filtering X
pfBlockerNG X
PostfiX MTA X
SmoothWall X
DansGuardian X
Squid Web ProXy ACL X
SquidGuard X


Non-commercial use only
Password-protected login
Instant access
Automatic download script
Monthly OR annual subscription X
MD5 hashes (to verify download integrity) X
Days’ worth of data 7 15
  SUBSCRIBE SUBSCRIBE ($4.19/Month)SUBSCRIBE ($39.99/Year)

Blocklist FAQs

Duplicate entries

Our lists include what we call “MBL ID”, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the “MBL_ID” helps us organize and debug the large amount of data in our lists.

The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there are multiple malware samples hosted in a website’s directory. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example.

False positives / whitelisting domains

The quality of our data is very important to us. We ask that you send reports of false positives to fp (@) We will investigate promptly, update our database (if necessary), and let you know the results.

Please read this before submitting a report:

We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of blocklists to affect (block) the entire domain.

We understand that it is not always possible to block very popular websites. To help our customers in this situation, we modified our download script to allow for domain exclusions. These will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like ‘cat _filename_ | grep -v _domain_ > _new_file_name_’ can remove entries.

For help automating the removal of domains from blocklists, contact our tech support via email: support (@) – and they will be happy to help. Please remember to mention the blocklist you use and how you download it.

How can I automate data downloads?

There are multiple ways to automate the download and ingestion of our data feeds. Specifics depend on your operating system, environment and use of the data. As most of our customers utilize the data in *nix environments, the common tools used for automation are ‘wget’ and ‘curl’. A basic ‘wget’ command to download a block list looks like the following:

wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_COPIED_FROM_YOUR_CUSTOMER_PORTAL_’

The download and ingestion of the data by whatever software you use also require the operating system to frequently perform these tasks. For that, ‘cron’ is the choice of most of our customers.

Error message while downloading data

Error messages:

# Your access was denied.
# You may have supplied a wrong password, your subscription may have expired or you may not have access to this resource.

The most likely cause of your problem is that you are running wget in a Linux shell and did no enclose the URL in single or double quotes. Therefore, the shell understands the ampersand (&) sign as an indication that part of the command should be sent to the background and the URL is broken.

Try the following command instead, for example, to download a ClamAV block list:

wget –no-check-certificate -O /var/lib/clamav/malwarepatrol.db ‘’

Accessing blocklist from multiple IPs

There are no restrictions in the number of IP addresses from which you can download the block lists.

Do you provide invoices?

We cannot provide invoices for Basic Defense subscriptions. Contact your account manager or support (@) for Business Protect and Enterprise subscription invoices.