+1.813.321.0987

Tech Support

Need Help?

For tech support or questions, please email support (at) malwarepatrol.net. If you are a commercial customer, you can contact your Account Manager for assistance.

General questions or inquiries can be submitted using our contact form. Or feel free to connect and send us a direct message on Twitter for non-support questions.

If you would like to evaluate our data for commercial purposes, please visit our services page to determine the best option for your needs. Request an evaluation of our Enterprise Threat Data by clicking below:

Free Enterprise Data Evaluation

Block List Configuration Guides

We have prepared configuration instructions for the platforms listed below. You may always contact our tech support at support (at) malwarepatrol.net if you need help configuring our block lists and data feeds for your favorite software.

BIND9

Bind is the world’s most used DNS server.

Malware Patrol provides a zone file compatible with Bind 9. Its usage as a DNSBL (DNS black list) denies access to domains that are involved in malware and ransomware activities. DNS queries for malicious domains return the loopback address (127.0.0.1) preventing access to download malicious binaries, to relay stolen data and to contact command and control servers. You can follow these simple steps to configure your Bind 9 instance and protect the internal network, computers and users from getting infected by malware.

Please be advised that we have noticed that Bind on CentOS 7 is somehow limited in the number of zones it can load and therefore doesn’t work well with our block list. If you experience trouble loading the zone file, Bind exists unexpectedly, this may be the reason, contact our tech support.

1) Make sure your Bind 9 is installed and working properly. There are several resources on the Internet that can help you install it depending on your platform. If you are experiencing trouble, start at: https://www.isc.org/downloads/bind/. You should also be able to use distribution specific tools like apt-get and yum. For example: apt-get install bind9.

2) Determine the path to the configuration files used by Bind. This most likely will be /etc/bind or /etc/named. One way to find the path is to issue this command: find / -name named.conf

3) Notice: the path /etc/bind will be used throughout this How To, please adapt the commands shown here appropriately if your path is different.

4) Change to the directory that contains Bind configuration files, for example: cd /etc/bind

5) Download Malware Patrol’s zone file:

wget -O /etc/bind/blackhole.malwarepatrol.zone ‘https://malwarepatrol.net/pub/20160707/blackhole.malwarepatrol.zone’

6) Add the following line to the end of the file /etc/bind/named.conf

include “/etc/bind/blackhole.malwarepatrol.conf”;

7) Execute the first update:

/usr/bin/wget –no-check-certificate -qO- ‘_URL_TO_BIND_BLOCK_LIST_’ | sed ‘s/mbl.zone.file//etc/bind/blackhole.malwarepatrol.zone/g’ > /etc/bind/blackhole.malwarepatrol.conf

notice 1: don’t forget to change the command line if your path is not /etc/bind

notice 2: don’t forget to change the _URL_TO_BIND_BLOCK_LIST_ paramenter to your custom URL. To find the correct address, log in to your account, right click on the “download” link for the Bind block list and choose “Copy link location”

8) Restart Bind with the following command: service bind9 restart

9) Configure a new cronjob to update the Bind zone every hour:

MM * * * * /usr/bin/wget –no-check-certificate -qO- ‘_URL_TO_BIND_BLOCK_LIST_’ | sed ‘s/mbl.zone.file//etc/bind/blackhole.malwarepatrol.zone/g’ > /etc/bind/blackhole.malwarepatrol.conf ; service bind9 restart

To make this set up effective, you should configure your customers’ DNS server(s) to point to the new Bind. This can be easily achieved via DHCP. Still, customers may manually configure their systems to use external DNS servers, therefore bypassing this protection mechanism. To avoid that, apply firewall rules that properly deny traffic to external DNS servers.

If you experience any difficulties configuring Bind 9 to use Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

BIND9 RPZ - DNS Firewall

BIND is the world’s most used DNS server and can be configured as a DNS Firewall using RPZ zone files. Response Policy Zone (RPZ) enables DNS administrators to selectively block name resolution of Internet resources known to be used by cyber criminals.

Malware Patrol provides five zone files compatible with BIND 9 RPZ. They contain domains used to host C2s (command and control servers), domain names generated via DGAs (domain generation algorithms) used by malware and ransomware and domains hosting malware binaries. Its usage as a DNS Firewall denies access to resources involved in malware and ransomware activities. DNS queries for these domains return a special address that advises users on why the access was blocked and prevents malware and ransomware infections, communications with C2s and drop zones commonly used to exfiltrate information. You can implement any or all zone files at your discretion. Follow these simple steps to configure your BIND 9 instance and protect the internal network, computers and users.

Please be advised that the usage of the “malware binaries” RPZ zone may result in blocking large well known websites that are actively hosting malware and ransomware samples. The use of the “DGAs” and “C&Cs” zone files is less likely to deny access to renowned websites.

1) Make sure your BIND 9 is installed and working properly. There are several resources on the Internet that can help you install it depending on your platform. If you are experiencing trouble, start at: https://www.isc.org/downloads/bind/. You should also be able to use distribution specific tools like apt-get and yum. For example: apt-get install bind9.

2) Determine the path to the configuration files used by BIND. This most likely will be /etc/bind or /etc/named. One way to find the path is to issue this command: find / -name named.conf

3) Notice: the path /etc/bind will be used throughout this How To, please adapt the commands shown here appropriately if your path is different.

4) Change to the directory that contains BIND configuration files, for example: cd /etc/bind

5) Set up cron jobs to regularly download the appropriate zone file(s) to the BIND configuration directory. URLs for the zone files can be found in your Business Protect data feeds page. The RPZ – DNS Firewall data feeds are updated every hour. You can use the MD5 hashes to validate the file’s integrity.

Add the following lines to “named.conf.default”-zones, according to the zones you want to use:

zone "mp_rpz_c2" {
type master;
file "/etc/bind/mp_rpz_c2.db";
};

zone "mp_rpz_dga" {
type master;
file "/etc/bind/mp_rpz_dga.db";
};

zone "mp_rpz_malware" {
type master;
file "/etc/bind/mp_rpz_malware.db";
};

Add the following lines to “named.conf.options” under the “options” section, according to the zones you want to use:

response-policy {
zone "mp_rpz_c2";    zone "mp_rpz_dga";    zone "mp_rpz_malware"; };

Restart BIND with the following command: service bind9 restart

To make this set up effective, you should configure your customers’ DNS server(s) to point to this BIND instance. This can be easily achieved via DHCP. Still, customers may manually configure their systems to use external DNS servers, therefore bypassing this protection mechanism. To avoid that, apply firewall rules that properly deny traffic to external DNS servers.

This should be all you need to do. After that, browsers and applications that query your DNS server to resolve malicious domains will receive a safe response and won’t reach bad content.

If you experience any difficulties configuring BIND 9 to use Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

Cisco ASA FirePOWER

“With Cisco ASA with FirePOWER Services, you consolidate multiple security layers in a single platform, eliminating the cost of buying and managing multiple solutions. This integrated approach combines best- in-class security technology with multilayer protection integrated in a single device that is less costly than piecemeal security solutions.” (http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-firepower-services/at-a-glance-c45-732426.pdf)

Malware Patrol provides threat data compatible with Cisco ASA FirePOWER security intelligence feeds. There are three types of feeds that can be applied:

  • IP addresses: includes IP addresses of malware C&Cs as well as those resolved from malware and ransomware DGAs.

  • URLs: includes partial URLs used by malware and ransomware to contact command and control systems and drop zones.

  • Domains: includes registered active domains generated via DGAs for malware and ransomware.

You can follow these simple steps to configure your Cisco ASA FirePOWER to filter malicious IPs and protect the internal network, computers and users from getting infected by malware. The same procedure can be followed to filter URLs and domains.

 

1) Log in to Cisco FirePOWER Management Center.

 

2) Choose Objects > Object Management.

 

3) Expand the Security Intelligence node, then choose Network Lists and Feeds.

 

 

4) Click Add Network Lists and Feeds.

5) Enter a name for the feed (ex: MalwarePatrol_malicious_IPs).

6) Choose Feed from the Type drop-down list.

7) Enter the corresponding feed URL that can be found logging in to the Malware Patrol website.

8) Enter the corresponding feed MD5 URL that can be found logging in to the Malware Patrol website.

9) Choose the Update Frequency, we suggest one hour.

10) Choose Save.

 

 

11) Click Update Feeds.

 

 

12) Cisco ASA FirePOWER will automatically update the data feed at the chosen interval.

13) Choose Policies / Access Control and click New Policy.

14) Enter a meaningful Name and Description to the policy. The Default Actionmust be Block all traffic. On Available Devices select the devices that will be affected by the policy and click Add to Policy. When you are done, click Save.

 

 

15) A new policy will be created. Click on Security Intelligence.

16) On Available Objects / Networks select the object created previously (ex: MalwarePatrol_malicious_IPs), choose a zone from Available zones (Any is the default) and click on Add to Blacklist.

17) The object and corresponding policy were created successfully. You can follow the same steps to use the other data feeds we provide.

If you experience any difficulties configuring Cisco ASA FirePOWER to use Malware Patrol data feeds, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

ClamAV

“ClamAV is an open source ant-virus engine for detecting trojans, viruses, malware & other malicious threats.”

Malware Patrol provides signatures compatible with ClamAV. You can follow these simple steps to configure your ClamAV instance and protect the internal network, computers and users from getting infected by malware.

1) Make sure your ClamAV instance is installed and working properly. There are several resources on the Internet that can help you configure ClamAV in your platform. If you are experiencing trouble installing and configuring ClamAV, start at: http://www.clamav.net/documents/installing-clamav. You should also be able to use distribution specific tools like apt-get and yum to install ClamAV. For example: apt-get install clamav.

If you have Extremeshok’s clamav-unofficial-sigs properly installed, skip to step 14.

2) Install curl. For example: apt-get install curl

3) Install rsync. For example: apt-get install rsync

4) Install unzip. For example: apt-get install unzip

5) cd /tmp

6) wget -O clamav-unofficial-sigs.zip ‘https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip’

7) unzip /tmp/clamav-unofficial-sigs.zip

8) cp /tmp/clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/bin

9) chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh

10) mkdir -p /etc/clamav-unofficial-sigs

11) cp /tmp/clamav-unofficial-sigs-master/config/master.conf /etc/clamav-unofficial-sigs/

12) cp /tmp/clamav-unofficial-sigs-master/config/user.conf /etc/clamav-unofficial-sigs/

13) cd /etc/clamav-unofficial-sigs/

14) edit /etc/clamav-unofficial-sigs/master.conf appropriately

malwarepatrol_enabled=”yes”

malwarepatrol_receipt_code=”YOUR-RECEIPT-NUMBER”

malwarepatrol_product_code=”8″
Use 8 if you have a Free account or 15 if you are a Premium customer.

malwarepatrol_list=”clamav_basic” # clamav_basic or clamav_ext

malwarepatrol_free=”yes”
Set to yes if you have a Free account or no if you are a Premium customer.

clam_user=”clamav”

clam_group=”clamav”

user_configuration_complete=”yes”

15) Clean unnecessary files: rm -rf /tmp/clamav-unofficial-sigs*

16) Execute the first update: /usr/local/bin/clamav-unofficial-sigs.sh

17) Configure a new cronjob to update ClamAV signatures every hour: MM * * * * /usr/local/bin/clamav-unofficial-sigs.sh

If you experience any difficulties configuring ClamAV to use Malware Patrol block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

Hermes SEG

Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) Email Gateway that provides Spam, Virus and Malware protection, full in-transit and at-rest email encryption as well as email archiving.

Hermes Secure Email Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization.

It can be deployed to protect your in-house email solution as well as cloud email solutions such as Google Mail and Microsoft Office 365.

Hermes SEG supports the integration of the following 3rd party signature feeds:

  • Linux Malware Detect
  • Malware Patrol
  • Sanesecurity
  • SecuriteInfo
  • YaraRules”

Click here to access the configuration guide for Malware Patrol’s feeds, written and maintained by Hermes SEG. (Thanks deezteK!)

MineMeld

Palo Alto MineMeld is an “extensible Threat Intelligence processing framework and the ‘multi-tool’ of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks security platforms.”

This versatile tool can be used to grab data feeds of IPs, URLs and domains and aggregate, deduplicate, process it and output the final result in formats suitable to in Palo Alto Networks products. MineMeld can also be configured to send data to Splunk.

Malware Patrol has determined the steps required to allow our customers to utilize our data feeds on MineMeld. The following steps are required to create a “miner”, a “processor” and finally an “output”. The entire process follows the logic of creating and configuring “prototypes” based on existing entities and later cloning them. Keep this in mind and the logic will be clearer as we move forward through each step.

We have created a specific Enterprise data feed for MineMeld consumption. You can find its URL in the evaluation or customer portal. If you are a current customer, please contact your Sales Manager to have the feed added to your portal. This configuration guide shows how to extract URLs from that feed. The same logic can be applied to create new a “miner”, “processor” and “output” for other indicators contained in the feed.

1) If you don’t have MineMeld installed and configured yet, you can download a preconfigured a virtual machine or the software’s source code from Github. Please visit the following URLs for more details:

a. https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld
b. https://live.paloaltonetworks.com/t5/MineMeld-Articles/Manually-install-MineMeld-on-Ubuntu-Server-16-04/ta-p/253336

2) Once you successfully log in to MineMeld, click on “Config” to view the current list of “miners”, “processors” and “output”.

Palo Alto MineMeld

3) To configure a new “miner prototype” we will use an existing miner. Click the blue icon on the lower right corner of the screen – named ‘browse prototypes’. In the search field, type ‘ssla’ and once the list is updated, select ‘sslabusech.ipblacklist’.

Palo Alto MineMeld

4) Once the “miner” configuration is displayed, click on ‘new’.

Palo Alto MineMeld

5) Make the necessary changes to each field according to the following image. Special attention must be taken to the field ‘CONFIG’ and the line ‘url’. This must be filled with the URL of Malware Patrol’s data feed for MineMeld data feed. As explained previously the address can be found in your evaluation or customer portal. After properly populating the fields, click ‘ok’.

Palo Alto MineMeld

6) You will see the new “miner prototype” created, click on it.

Palo Alto MineMeld

7) When the “miner” loads, click on “clone”.

Palo Alto MineMeld

8) Fill the two fields as shown in the following screenshot and click ‘ok’.

Palo Alto MineMeld

9) The screen will show all the available items, including the new miner. Click on ‘commit’ to push the changes. Wait a few seconds as some components of MineMeld will be restarted.

Palo Alto MineMeld

10) Click on ‘nodes’ and use the search field to look for ‘malwarepatrol’. You should see the new “miner”. Pay close attention to ‘indicators’ that should show an increasing amount of items pulled from our data feed.

Palo Alto MineMeld

11) To create the “processor prototype”, click on ‘config’ and then the blue icon on the lower right corner of the screen – named ‘browse prototypes’. Search for ‘processor’. In the list displayed, click on ‘stdlib.aggregatorFileName’

Palo Alto MineMeld

12) Click ‘new’ and fill the form fields according to the following screenshot and click ‘ok’.

Palo Alto MineMeld

13) Once the list of “prototypes” is shown, click on the newly created one and choose ‘clone’. Fill the form according to the next screenshot.

Palo Alto MineMeld

14) Clicking on ‘config’ you should see a screen similar to the following:

MineMeld screen shot

15) Now to create an “output prototype”, click the blue icon on the lower right corner of the screen – named ‘browse prototypes’. Search for ‘output’ and in the list that will be displayed, click ‘stdlib.dagPusher’.

MineMeld screen shot

16) Fill the form fields as in the following screenshot and click ‘ok’.

MineMeld screen shot

17) In the list that will be displayed, click the newly created “prototype”.

MineMeld screen shot

18) Click ‘clone’.

MineMeld screen shot

19) At this point, the list displayed should contain one new item for a “miner”, “processor” and “output”. Click on ‘commit’ to make the changes effective. Wait a few seconds as some components of MineMeld will be restarted.

MineMeld screen shot

20) Click on ‘nodes’ and search for ‘malwarepatrol’. You should see the three newly created items and the count of ‘indicators’ increasing. That shows that data is flowing from our data feed into the “miner”, “processor” and finally made ready by the “output”.

MineMeld screen shot

21) Clicking on “output” you can see details including the URL of the finalized feed that can be consumed by Palo Alto Networks systems.

MineMeld screen shot

22) For information on MineMeld and how to connect it with other Palo Alto Networks products and Splunk, please visit the following URLs.

• Create Dynamic Firewall Rules Based on MineMeld Threat Feeds: https://www.virtualizationhowto.com/2018/12/create-dynamic-firewall-rules-based-on-minemeld-threat-feeds/
• Create a MineMeld input in Splunk: https://splunk.paloaltonetworks.com/autofocus-and-minemeld.html
• Quick tour of MineMeld default config: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Quick-tour-of-MineMeld-default-config/ta-p/72042
• Using MineMeld to Create a Custom Miner: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-Create-a-Custom-Miner/ta-p/227694
• Developer’s Guide: https://github.com/PaloAltoNetworks/minemeld/wiki/Developer’s-Guide

If you encounter any difficulties during the configuration process, feel free to contact our tech support at support(at)malwarepatrol.net. Configuration guides for other systems can be found on our Tech Support page.

pfSense / pfBlockerNG

Malware Patrol provides block lists compatible with pfBlockerNG, a package for pfSense version 2.x that allows the usage of custom block list, IP filtering, and country block functionalities.

You can follow these simple steps to configure your pfBlockerNG to filter malicious URLs and protect the internal network, computers and users from getting infected by malware and ransomware.

1) Log in to pfSense GUI.

pfsense system  

2) Choose System > Package Manager.

pfsense system

 

 3) Choose Available packages then scroll down to pfBlockerNG and clock Save.

pfsense system

 

4) Once the package is installed, choose Firewall > pfBlockerNG.

pfsense system

 

5) On the General tab, enable the following options:

  • Enable pfBlockerNG

  • De-Duplication

  • CIDR Aggregation

  • Suppression

  • Global Logging (optional)

You may also need to adjust Interface/Rules Configuration depending on your set up.

pfsense system

 

6) Choose DNSBL from the pfBlockerNG menu. Check Enable DNSBL. And under IP Firewall Rule Setting select Deny Outbound. Click Save.

pfsense system

 

7) Click DNSBL Feeds then click +Add.

pfsense system

 

8) Enter Malware Patrol as the DNS GROUP Name.

9) Under DNSBL Source enter your URL for the pfBlockerNG block list provided by Malware Patrol. The address can be found by logging in to your account with Malware Patrol. Enter a label, MP-Aggressive for example and click +Add.

10) Set List Action to Unbound and Update Frequency to Every hour (for Malware Patrol Premium members only). Click Save.

pfsense system

 

11) Click Save.

pfsense system

 

12) Choose Update from the pfBlockerNG menu. Select the Select “Force” option and mark Update, then click Run.

pfsense system

 

13) The logs should present messages similar to the following:

pfsense system

 

If you experience any difficulties configuring pfBlockerNG with Malware Patrol’s block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net. Our special thanks to F34RInc for helping put together this configuration guide.

SpamAssassin

Malware Patrol provides block lists compatible with SpamAssassin.
Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email).

It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

Apache SpamAssassin is a project of the Apache Software Foundation (ASF).”
You can follow these simple steps to configure your SpamAssassin to filter malicious URLs and protect your network, computers, and users from getting infected by malware.

1) Make sure your SpamAssassin instance is installed and working properly. There are several resources on the Internet that can help you configure it in your platform. If you are experiencing trouble installing and configuring SpamAssassin, start at: https://spamassassin.apache.org/

2) On the server running SpamAssassin, create a file called malware_patrol_update.sh choosing where to place it, like:
# mkdir /root/sh
# vi /root/sh/malware_patrol_update.sh

3) Log into your account with Malware Patrol and look for SpamAssassin. Right click on “download” and select “Copy link location”. You will need this URL on the next step.

4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ with the URL you copied in the previous step:

wget --no-check-certificate -O /etc/mail/spamassassin/99_malware_patrol_blocklist.cf '_URL_YOU_JUST_COPIED_'

Feel free to customize the output filename. SpamAssassin configuration files are read in an alphanumerical order, meaning 70_*.cf will be read before 99_*.cf.

5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes.

6) Add the following line to the file and save it:

systemctl restart spamassassin.service

If Amavisd is used (so SpamAssassin is managed by it) use the following line instead and save it:

systemctl restart amavisd.service

7) Add execute permissions to the recently created file, executing this command:

# chmod +755 /root/sh/malware_patrol_update.sh

8) Execute the recently created file that will download the latest block list and restart SpamAssassin or Amavisd:

# /bin/sh /root/sh/malware_patrol_update.sh

9) Make sure the new file was correctly processed by SpamAssassin by running the following command:

# spamassassin -D --lint 2>&1 | grep "malware_patrol"
... dbg: config: read file /etc/mail/spamassassin/99_malware_patrol_blocklist.cf

10) You should now create a cron job to automatically update the Malware Patrol block list. The following command should be executed every hour:

/bin/sh /root/sh/malware_patrol_update.sh

Please choose minutes not close to 00, 01 and 59 for your cron job.

If you experience any difficulties configuring SpamAssassin to use Malware Patrol block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Special thanks to Malware Patrol user fRANz for writing this guide.

Squid3 Web Proxy

Squid is a proxy for the Web that provides extensive access control lists, reduces bandwidth consumption and improves response times by caching and reusing frequently requested web pages. It runs on most available operating systems, including Linux and Windows. It is licensed under the GNU GPL.

Malware Patrol provides block lists compatible with Squid3. You can follow these simple steps to configure your Squid instance and protect the internal network, computers and users from getting infected by malware.

1) Make sure your Squid3 instance is installed and working properly. There are several resources on the Internet that can help you configure Squid3 in your platform. If you are experiencing trouble installing and configuring Squid3, start at: http://www.squid-cache.org/.

2) On the server running Squid3, create a file called /etc/squid3/malware_patrol_update.sh. For example: vi /etc/squid3/malware_patrol_update.sh

3) Log into your account with Malware Patrol and look for Squid Web Proxy ACL. Right click on “download” and select “Copy link location”, you will need this URL on the next step.

4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ by the URL you have copied on the previous step: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_YOU_JUST_COPIED_’

5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes. For example: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘https://lists.malwarepatrol.net/cgi/getfile?receipt=01234567890&product=13&list=squid’

6) Add the following line to the file and save it: /usr/sbin/squid3 -k reconfigure

7) Add execute permissions to the recently created file, executing this command: chmod +755 /etc/squid3/malware_patrol_update.sh

8) Now we need to configure Squid3 to use the block list. Edit the file /etc/squid3/squid.conf. For example: vi /etc/squid3/squid.conf

9) Add the following lines to the file, at the appropriate sections:
acl malware url_regex -i “/etc/squid3/malware_patrol_blocklist”
http_access deny malware
deny_info http://www.malwarepatrol.net/denied.shtml malware

10) Execute the recently created file that will download the latest block list and restart Squid: /bin/sh /etc/squid3/malware_patrol_update.sh

11) Notice that Squid3 will take longer than usual to start because it needs to read thousands of entries that will protect you from malware infections.

12) You should now configure a cronjob to automatically update the Malware Patrol block list. The following command should be executed every hour: /bin/sh /etc/squid3/malware_patrol_update.sh. Please choose minutes not close to 00, 01 and 59.

If you experience any difficulties configuring Squid3 to use Malware Patrol block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

From the Blog

online privacy

Is Online Privacy the Next Phase of Globalization

Google’s first privacy fine post-GDPR sounds substantial. $57 million could certainly buy a first-class infosec infrastructure for a medium-sized company and keep many payrolls rolling out for...

Phishing’s Next Wave: AI-Enabled Tactics for Attackers and Cybersecurity Pros

Cybercrime steals an estimated $600 billion from the global economy every year. In the next several years we can expect that number to reach well into the trillions. Phishing and spear phishing...
Silex malware

Infosec Articles (6/13/19 – 6/27/19)

New activity by Silex malware and one that uses InterPlanetary File System’s (IPFS) p2p network made the news over the last couple of weeks. An article by IT Governance explains angler phishing....
RPZ DNS

DNS RPZ Firewall Configuration Guide

BIND is the world’s most used DNS server and can be configured as a DNS Firewall using RPZ files (DNS RPZ). Response Policy Zone (RPZ) enables DNS administrators to selectively block...

Infosec Articles (8/11/19 – 8/24/19)

Our selection of the most recent infosec articles from around the web, including a vulnerability, a malware and a phishing attack all directed at Microsoft users. Sucuri reports an increase in...
antimalware security apps

Infosec Articles (4/14/19 – 4/28/19)

DNS hijacking is a worrisome threat for all Internet users and seems to be on the rise. There's a new (free) tool from the National Cyber Security Centre to help businesses simulate and test their...
clamAV

Clam AV Software Configuration Guide

“Clam AV is an open source ant-virus engine for detecting trojans, viruses, malware & other malicious threats.” Malware Patrol provides signatures that are compatible with Clam AV software....
Best Practice

Spoofed DDoS Attacks and BCP 38

The majority of recent DDoS attacks utilize source address spoofing techniques. These spoofed DDos attacks complicate mitigation efforts and hide the IP address of the originating...
SpamAssassin

SpamAssassin Configuration Guide

Malware Patrol provides block lists compatible with SpamAssassin.   "Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify...
point-of-sale malware

Infosec Articles (2/29/19 – 3/14/19)

Over the last couple of weeks we've seen point-of-sale malware making its way to the top of the threats list, at least in terms of headlines and focus. A rather shocking discovery was a PDF flaw...

Infosec Articles (4/29/19 – 5/13/19)

Ransomware has been a hot topic the last couple of weeks. We're seeing its versatility, with distribution techniques spanning server vulnerabilities to advertising platforms, along with the use of...
C2s

Command and Control Servers: Fundamentals and a Few Details

Few topics in current cybersecurity generate as much press as command and control servers (C2s). They enable the cybercrime that often affects companies and individuals far outside the IT industry.

fight ransomware

Infosec Articles (5/28/19 – 6/12/19)

Articles from the last couple of weeks reveal interesting new research about a method to fight ransomware by using flash-based storage on devices to save files. That's especially good news because...
Linux security

Infosec Articles (1/15/19 – 1/29/19)

Linux security has taken its place among the most pressing security concerns in the industry, as explained in an article by UPI. Emotet evolves and Office documents continue to be infection...
Infosec Articles (10/01/2018- 10/14/2018)

Infosec Articles (10/2/2018 – 10/15/2018)

Infosec articles we found in the first half of October 2018. We have included an article on what to do after a breach. Learn about malicious code can that be used to create a cryptominer, about the GPlayed trojan that poses as Google Play, and more. 

cryptominer

Infosec Articles – April 2018

We are thankful that so many companies and individual researchers take the time to publish articles about the latest threats. And when they share IOCs, it's even better! We've put together some of...

Infosec Articles (8/1/18 – 8/13/18)

A couple of updates on the Emotet trojan are among the highlights of our selected infosec articles from August 2018. Other important information includes Russian cyber attacks targeting U.S....
vulnerabilities

Infosec Articles (7/28/19 – 8/10/19)

Our handpicked selection of the most recent infosec articles from around the web, including vulnerabilities found in Siemens and WhatsApp. The ACSC published an informative password spraying...
antimalware

Role of DGAs in Malware and Ransomware Campaigns

The vast majority of active malware and ransomware families include some sort of communication with command and control systems (C&Cs). This connection allows them to...
pfsense logo

pfSense Configuration Guide

pfSense software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a...

Infosec Articles (9/4/18 – 9/16/18)

A few of our favorite infosec articles from the past few weeks. Learn about Android botnet “Black Rose Lucy” and about the“BlueBorne” bluetooth exploit. Read how the Necurs Botnet, DarkHydrus and other threat actors are turning to inconspicuous files to peddle malspam.

credit card fraud

Infosec Articles – May 2018

A selection of our favorite infosec articles from May 2018. Cryptocurrency-mining makes its regularly scheduled appearance, and for some 'fun' reading, check out the SecureList article "History of...
mysterybot malware

Infosec Articles – June 2018

We've compiled a few of our favorite recent infosec articles from the best sources in the industry. Keep reading to learn about a decryptor tool for Everbe ransomware, malicious code ADB.miner, and...
Linux security

Infosec Articles (10/16/2018 – 10/28/2018)

Read some of the most interesting and useful infosec articles we came across during the last half of October 2018. We have included information on exploits of servers with Hadoop installations, a...
cybersecurity resources

DDoS Reflection and Amplification Attacks

Reflection and amplification are mechanisms commonly used in DDoS attacks. These simple and very effective techniques gained popularity around 2013. They take advantage of publicly accessible UDP...

Infosec Articles (3/15/19 – 3/29/19)

The last couple of weeks provided the security community with a wide variety of topics, from an AV Comparatives study on antimalware security apps in the Google Play Store to new features and...
DNS

Why choose Malware Patrol over a free DNS protection service?

Customers and prospects have approached us recently with questions similar to this: why should we choose Malware Patrol instead of a free DNS protection service? The question is fair, especially in...
AWS s3 buckets

Accessing threat data on AWS S3 buckets

Malware Patrol provides some of its threat data feeds via Amazon / AWS S3 buckets. Among the feeds are the "Malware Samples (Binaries)" and the "Bitcoin Transactions (JSON format)"....
L0rdix malware

Infosec Articles (11/21/2018 – 11/27/2018)

Our handpicked selection of the most recent infosec articles from around the web. L0rdix malware is available for sale in underground forums and there's JavaScript that can even track when using...

Infosec Articles (5/13/19 – 5/27/19)

An article from IBM Security about macro malware is one of our favorites from the last couple of weeks. It covers some of the attack vector's history and provides tips for how to detect this kind...
email security

Be Smart – 419 Nigerian Email Scams

Nigerian Email Scams Malware Patrol's spam traps and honeypots capture messages and malicious URLs from all sorts of email scams and spam. One of the most well known is called the 419 or...
botnet

Infosec Articles (9/9/19 – 9/23/19)

Read our hand-picked selection of the latest security articles in which botnets and RATs make frequent appearances. Despite the changes in the industry earlier this year when Coinhive closed shop,...

InfoSec Articles (11/8/19 – 11/22/19)

Ransomware takes the spotlight this time showing up targeting Windows users, production servers and, specifically, drives commonly associated with removable devices and mapped network drives. For...
new MacOS Malware

Infosec Articles (8/14/18 – 9/3/18)

Read a few interesting CyberSecurity news articles from the past few weeks, including an update on a rootkit named CEIDPageLock being distributed by the RIG Exploit kit, Mozilla’s plan to distrust TLS certificates issued by Symantec, new MacOS malware, and more.

Windows

Infosec Articles (1/30/19 – 2/13/19)

Our top picks for industry articles include a detailed explanation of fileless malware by the folks at Trend Micro. A great reference for those collecting threat data is the piece on Windows file...

Newsletter

Sign up to receive occasional updates and cybersecurity news.
 
Newsletter - Sidebar


Connect With Us


 

Blog Posts by Category