+1.813.321.0987

Tech Support

t

Support Options

For technical questions, please email support (@) malwarepatrol.net.

If you are an Enterprise customer, contact your Account Manager for assistance.

For commercial data inquiries, visit our services page to determine the best option for your needs. Or, schedule a chat with us here.

Configuration Guides

We offer configuration guides for the tools listed below to help users integrate Malware Patrol’s fresh and dependable data into their favorite security tools. For additional assistance, you may send an email to support (@) malwarepatrol.net.

Please note: We do NOT offer support for Free Guard blocklists. Support for Basic Defense blocklists is limited. Responses may take several days, depending on our team’s availability. Our Business Protect and Enterprise commercial customers receive priority support.

Want free data?

To earn a free LIFETIME Basic Guard blocklist account – for non-commercial purposes only – send us set-up instructions for a new software/tool that we can feature on this page. Use our contact form for this purpose.

 

BIND9 RPZ - DNS Firewall (DNS Firewall & Enterprise Customers)

BIND is the world’s most used DNS server and can be configured as a DNS Firewall using RPZ zone files. Response Policy Zone (RPZ) enables DNS administrators to selectively block name resolution of Internet resources known to be used by cyber criminals.

Malware Patrol provides seven zone files compatible with BIND9 RPZ:

  • COVID-19 Newly Registered Domains
  • C2s
  • Cryptominers
  • DGAs
  • DNS-over-HTTPS Servers
  • Malware
  • Phishing

DNS queries for domains in these zones return a special page that advises users why the access was blocked. You can implement any or all zone files at your discretion. Follow these simple steps to configure your BIND9 instance and protect the internal network, computers and users.

Please be advised that the usage of the “malware” RPZ zone may result in blocking large well known websites that are actively hosting malware and ransomware samples. The use of the “DGAs” and “C&Cs” zone files is less likely to deny access to renowned websites.

1) Make sure your BIND9 is installed and working properly. There are several resources on the Internet that can help you install it depending on your platform. If you are experiencing trouble, start at: https://www.isc.org/downloads/bind/. You should also be able to use distribution specific tools like apt-get and yum. For example: apt-get install bind9.

2) Determine the path to the configuration files used by BIND. This most likely will be /etc/bind or /etc/named. One way to find the path is to issue this command: find / -name named.conf

3) Notice: the path /etc/bind will be used throughout this How To, please adapt the commands shown here appropriately if your path is different.

4) Change to the directory that contains BIND configuration files, for example: cd /etc/bind

5) Set up cron jobs to regularly download the appropriate zone file(s) to the BIND configuration directory. URLs for the zone files can be found in your Business Protect data feeds page. The DNS RPZ Firewall data feeds are updated every hour. You can use the MD5 hashes to validate the file’s integrity.

Add the following lines to “named.conf.default”-zones, according to the zones you want to use:

zone "mp_rpz_c2" {
type master;
file "/etc/bind/mp_rpz_c2.db";
};

zone "mp_rpz_covid19" {
type master;
file "/etc/bind/mp_rpz_covid19.db";
};

zone "mp_rpz_crypto_miner" {
type master;
file "/etc/bind/mp_rpz_crypto_miner.db";
};

zone "mp_rpz_dga" {
type master;
file "/etc/bind/mp_rpz_dga.db";
};

zone "mp_rpz_malware" {
type master;
file "/etc/bind/mp_rpz_malware.db";
};

zone "mp_rpz_phish" {
type master;
file "/etc/bind/mp_rpz_phish.db";
};

Add the following lines to “named.conf.options” under the “options” section, according to the zones you want to use:

response-policy {
zone "mp_rpz_c2";    zone "mp_rpz_dga";    zone "mp_rpz_malware"; };

Restart BIND with the following command: service bind9 restart

To make this set up effective, you should configure your customers’ DNS server(s) to point to this BIND instance. This can be easily achieved via DHCP. Still, customers may manually configure their systems to use external DNS servers, therefore bypassing this protection mechanism. To avoid that, apply firewall rules that properly deny traffic to external DNS servers.

This should be all you need to do. After that, browsers and applications that query your DNS server to resolve malicious domains will receive a safe response and will not reach bad content.

If you experience any difficulties configuring BIND9 to use Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

BIND9 (Enterprise Customers)

Bind is the world’s most used DNS server.

Malware Patrol provides a zone file compatible with Bind9. Its usage as a DNSBL (DNS blacklist) denies access to domains that are involved in malware and ransomware activities. DNS queries for malicious domains return the loopback address (127.0.0.1) preventing access to download malicious binaries, to relay stolen data and to contact command and control servers. You can follow these simple steps to configure your Bind9 instance and protect the internal network, computers and users from getting infected by malware.

Please be advised that we have noticed that Bind on CentOS 7 is somehow limited in the number of zones it can load and therefore doesn’t work well with our blocklist. If you experience trouble loading the zone file, Bind exits unexpectedly, this may be the reason, contact our tech support.

1) Make sure your Bind9 is installed and working properly. There are several resources on the Internet that can help you install it depending on your platform. If you are experiencing trouble, start at: https://www.isc.org/downloads/bind/. You should also be able to use distribution specific tools like apt-get and yum. For example: apt-get install bind9.

2) Determine the path to the configuration files used by Bind. This most likely will be /etc/bind or /etc/named. One way to find the path is to issue this command: find / -name named.conf

3) Notice: the path /etc/bind will be used throughout this How-To, please adapt the commands shown here appropriately if your path is different.

4) Change to the directory that contains Bind configuration files, for example: cd /etc/bind

5) Download Malware Patrol’s zone file:

wget -O /etc/bind/blackhole.malwarepatrol.zone ‘https://malwarepatrol.net/pub/20160707/blackhole.malwarepatrol.zone’

6) Add the following line to the end of the file /etc/bind/named.conf

include “/etc/bind/blackhole.malwarepatrol.conf”;

7) Execute the first update:

/usr/bin/wget –no-check-certificate -qO- ‘_URL_TO_BIND_BLOCK_LIST_’ | sed ‘s/mbl.zone.file//etc/bind/blackhole.malwarepatrol.zone/g’ > /etc/bind/blackhole.malwarepatrol.conf

notice 1: don’t forget to change the command line if your path is not /etc/bind

notice 2: don’t forget to change the _URL_TO_BIND_BLOCK_LIST_ paramenter to your custom URL. To find the correct address, log in to your account, right click on the “download” link for the Bind blocklist and choose “Copy link location”

8) Restart Bind with the following command: service bind9 restart

9) Configure a new cronjob to update the Bind zone every hour:

MM * * * * /usr/bin/wget –no-check-certificate -qO- ‘_URL_TO_BIND_BLOCK_LIST_’ | sed ‘s/mbl.zone.file//etc/bind/blackhole.malwarepatrol.zone/g’ > /etc/bind/blackhole.malwarepatrol.conf ; service bind9 restart

To make this set up effective, you should configure your customers’ DNS server(s) to point to the new Bind. This can be easily achieved via DHCP. Still, customers may manually configure their systems to use external DNS servers, therefore bypassing this protection mechanism. To avoid that, apply firewall rules that properly deny traffic to external DNS servers.

If you experience any difficulties configuring Bind9 to use Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

Cisco ASA FirePOWER (Enterprise Customers)

“With Cisco ASA with FirePOWER Services, you consolidate multiple security layers in a single platform, eliminating the cost of buying and managing multiple solutions. This integrated approach combines best- in-class security technology with multilayer protection integrated in a single device that is less costly than piecemeal security solutions.” (http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-firepower-services/at-a-glance-c45-732426.pdf)

Malware Patrol provides threat data compatible with Cisco ASA FirePOWER security intelligence feeds. There are three types of feeds that can be applied:

  • IP addresses: includes IP addresses of malware C&Cs as well as those resolved from malware and ransomware DGAs.

  • URLs: includes partial URLs used by malware and ransomware to contact command and control systems and drop zones.

  • Domains: includes registered active domains generated via DGAs for malware and ransomware.

You can follow these simple steps to configure your Cisco ASA FirePOWER to filter malicious IPs and protect the internal network, computers and users from getting infected by malware. The same procedure can be followed to filter URLs and domains.

 

1) Log in to Cisco FirePOWER Management Center.

Cisco Firepower Login

 

2) Choose Objects > Object Management.

Cisco Firepower Objects

 

3) Expand the Security Intelligence node, then choose Network Lists and Feeds.

Cisco Firepower Login

 

4) Click Add Network Lists and Feeds.

5) Enter a name for the feed (ex: MalwarePatrol_malicious_IPs).

Cisco Firepower Login

6) Choose Feed from the Type drop-down list.

7) Enter the corresponding feed URL that can be found logging in to the Malware Patrol website.

8) Enter the corresponding feed MD5 URL that can be found logging in to the Malware Patrol website.

9) Choose the Update Frequency, we suggest one hour.

10) Choose Save.

Cisco Firepower Login

 

 

11) Click Update Feeds.

Cisco Firepower Login

 

 

12) Cisco ASA FirePOWER will automatically update the data feed at the chosen interval.

13) Choose Policies / Access Control and click New Policy.

Cisco Firepower

 

 

14) Enter a meaningful Name and Description to the policy. The Default Actionmust be Block all traffic. On Available Devices select the devices that will be affected by the policy and click Add to Policy. When you are done, click Save.

 

 

15) A new policy will be created. Click on Security Intelligence.

16) On Available Objects / Networks select the object created previously (ex: MalwarePatrol_malicious_IPs), choose a zone from Available zones (Any is the default) and click on Add to Blacklist.

17) The object and corresponding policy were created successfully. You can follow the same steps to use the other data feeds we provide.

If you experience any difficulties configuring Cisco ASA FirePOWER to use Malware Patrol data feeds, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

ClamAV (All Customers)

“ClamAV is an open source ant-virus engine for detecting trojans, viruses, malware & other malicious threats.”

Malware Patrol provides signatures compatible with ClamAV. You can follow these simple steps to configure your ClamAV instance and protect the internal network, computers and users from getting infected by malware.

1) Make sure your ClamAV instance is installed and working properly. There are several resources on the Internet that can help you configure ClamAV in your platform. If you are experiencing trouble installing and configuring ClamAV, start at: http://www.clamav.net/documents/installing-clamav. You should also be able to use distribution specific tools like apt-get and yum to install ClamAV. For example: apt-get install clamav.

If you have Extremeshok’s clamav-unofficial-sigs properly installed, skip to step 14.

2) Install curl. For example: apt-get install curl

3) Install rsync. For example: apt-get install rsync

4) Install unzip. For example: apt-get install unzip

5) cd /tmp

6) wget -O clamav-unofficial-sigs.zip ‘https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip’

7) unzip /tmp/clamav-unofficial-sigs.zip

8) cp /tmp/clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/bin

9) chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh

10) mkdir -p /etc/clamav-unofficial-sigs

11) cp /tmp/clamav-unofficial-sigs-master/config/master.conf /etc/clamav-unofficial-sigs/

12) cp /tmp/clamav-unofficial-sigs-master/config/user.conf /etc/clamav-unofficial-sigs/

13) cd /etc/clamav-unofficial-sigs/

14) edit /etc/clamav-unofficial-sigs/master.conf appropriately

malwarepatrol_enabled=”yes”

malwarepatrol_receipt_code=”YOUR-RECEIPT-NUMBER”

malwarepatrol_product_code=”32″
Use 32 if you have a Free Guard account, 34 for Basic Defense monthly, 33 for Basic Defense yearly, and 37 for Basic Defense EDU/Contributor (Free) accounts. Business Protect and Enterprise customers will access via links in their customer portals.

malwarepatrol_list=”clamav_basic” # clamav_basic or clamav_ext

malwarepatrol_free=”yes”
Set to yes if you have a Free Guard account or no if you are a Basic Defense customer.

clam_user=”clamav”

clam_group=”clamav”

user_configuration_complete=”yes”

15) Clean unnecessary files: rm -rf /tmp/clamav-unofficial-sigs*

16) Execute the first update: /usr/local/bin/clamav-unofficial-sigs.sh

17) Configure a new cronjob to update ClamAV signatures every hour: MM * * * * /usr/local/bin/clamav-unofficial-sigs.sh

If you experience any difficulties configuring ClamAV to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

FortiGate Configuration Guide (Enterprise Customers)

FortiGate NGFWs deliver industry-leading enterprise security for any edge at any scale with full visibility and threat protection. Organizations can weave security deep into the hybrid IT architecture and build security-driven networks to achieve:

  • Ultra-fast security, end to end
  • Consistent real-time defense with FortiGuard Services
  • Excellent user experience with security processing units
  • Operational efficiency and automated workflows

Malware Patrol offers (5) feeds formatted for integration into the FortiGate Security Fabric (External Connectors/Threat Feeds). Customers can choose the feed(s) that meet their needs:

  • DNS-over-HTTPS (DoH) Servers (domains)
  • Malicious Domains
  • Malicious Hashes
  • Malicious IPs
  • Malware/Ransomware URLs

Watch the following video to learn more about the integration of Malware Patrol data feeds and Fortinet.

 

We have written configuration instructions for both connecting and enabling protection with Malware Patrol feeds. Please note that some of the functionalities covered in this guide require a subscription, such as FortiGuard AntiVirus for using Malicious Hashes.

Also, following the instructions in the FortiGate Administration Guide, we have mostly modified default settings and policies whenever adding Malware Patrol’s feeds. For logging or other purposes you may wish to create new ones instead. Additional resources are included at the end of this guide, including a link to FortiGate’s manual.

 

Adding external threat data feeds to FortiGate

1) From inside the FortiGate interface, select Security Fabric > External Connectors. For this configuration guide, we have already added the Malware Patrol Malicious Hashes feed as an example, seen below.

2) Click ‘Create New’

3) Scroll down to ‘Threat Feeds’ section

4) Select feed type to be added. Options are:

a. FortiGuard Category (for URL lists)
b. IP Address
c. Domain Name (for this example)
d. Malware Hash

5) Complete the following in the fields on the next page:

  • Feed name: We will use Malware Patrol Malicious Domains
  • URL: You can find the URL of the Malware Patrol Malicious Domains data feed in the evaluation or customer portal
  • Login credentials: Username and password for Malware Patrol evaluation or customer portal
  • Refresh rate: We use 61 minutes as our feeds are updated hourly

6) Click ‘OK’ to save. You will now see the new feed added to the list of connectors.

7) Click ‘Create New’ to add any additional feed(s) you have. Instructions for each are the same as the previous example. For the examples in this how-to, we use the names below:

a. FortiGuard Category (for URL lists) – Malware Patrol Malicious URLs
b. IP Address – Malware Patrol Malicious IPs
c. Domain Name – Malware Patrol Malicious Domains
d. Malware Hash – Malware Patrol Malicious Hashes

8) Click the refresh button and hover over any feed to see details, including number of valid/invalid entries

9) Click ‘View Entries’ to see the feed’s entries

 

Adding IP data feeds to firewall policies

1) Navigate to Policy & Objects > Firewall Policy

2) Click ‘Create New’

3) Complete the following in the fields on the next page:

  • Name: We will use Malware Patrol IP Deny List
  • Select incoming and outgoing interfaces: per your needs/environment
  • Source: ‘All’
  • Destination: Malware Patrol Malicious IPs list (menu appears on right, scroll down)
  • Schedule: ‘Always’
  • Service: ‘All’
  • Action: ‘Deny’

4) Click ‘OK’ to save. New policy will appear in list

FortiGate policy details: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/118003/policies

FortiGate video: https://youtu.be/dpvlQ0xU2NU

 

Adding an external malware blocklist (hashes) to the AntiVirus

1) Navigate to Security Profiles > AntiVirus

2) Click to edit the default profile

3) Enable ‘Use external malware block list’ (toward bottom of page). Also enable ‘Quarantine’ if desired.

4) Select ‘Specify’ in the ‘Virus Outbreak Prevention’

5) Click the + and select the Malware Patrol Malicious Hashes feed from the menu

 

6) Click ‘OK’ to save

FortiGate AntiVirus details: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/913906/external-blocklist-file-hashes

 

Adding a URL blocklist to the web filter

1) Navigate to Security Profiles > Web Filter

2) Click to edit the default profile

3) Select Malware Patrol Malicious URLs from FortiGuard Category Based Filter menu

4) Right click on ‘Disable’ and select ‘Block’ from dropdown menu

 

5) Click ‘OK’ to save

FortiGate Web Filter details: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/833698/web-filter

 

Adding a domain blocklist to the DNS filter

1) Navigate to Security Profiles > DNS Filter

2) Double click to edit the default profile

3) Select Malware Patrol Malicious Domains from FortiGuard Category Based Filter menu (scroll down to ‘Remote Categories’ section)

4) Right click on ‘Allow’ and select ‘Redirect to Block Portal’ from dropdown menu

 

5) Click ‘OK’ to save

FortiGate DNS Filter details: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/605868/dns-filter

 

Additional resources

FortiGate Administration Guide: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/954635/getting-started

FortiGate Administration Guide, threat data feeds: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/9463

/threat-feeds

Excellent walk-through video for adding and enabling external threat feeds: Configure and use 3rd Party threat feeds on a FortiGate Firewall by GraniteDan https://youtu.be/CarI6_URN90

FortiSIEM Configuration Guide (Enterprise Customers)

Fortinet Configuration

Malware Patrol + FortiSIEM

Malware Patrol offers (5) Enterprise* feeds formatted for integration into FortiSIEM. This allows users to combine the quality of Fortinet’s SIEM security platform with the protection from our threat intelligence. Customers can choose the feed(s) that meet their needs:

*These feeds are not available for free or paid blocklists, or Business Protect customers. Find more details about our Enteprise offerings here.

We offer free evaluations of our Enterprise feeds, including those for FortiSIEM. To request your evaluation, complete our request form.

 

About FortiSIEM

FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. What’s more is that [the] architecture enables unified data collection and analytics from diverse information sources including logs, performance metrics, security alerts, and configuration changes. FortiSIEM combines the analytics traditionally monitored in separate silos of the security operations center (SOC) and network operations center (NOC) for a more holistic view of the security and availability of the business.” FortiGuard Threat Intelligence and Indicators of Compromise (IOC) and Threat Intelligence (TI) feeds from commercial, open source, and custom data sources integrate easily into the security TI framework. This grand unification of diverse sources of data enables organizations to rapidly identify root causes of threats, and take the steps necessary to remediate and prevent them in the future. Steps can often be automated with new Threat Mitigation Libraries for many Fortinet products. External Threat Intelligence Integrations

  • APIs for integrating external threat feed intelligence — Malware domains, IPs, URLs, hashes, Tor nodes
  • Built-in integration for popular threat intelligence sources — ThreatStream, CyberArk, SANS, Zeus, ThreatConnect
  • Technology for handling large threat feeds — incremental download and sharing within cluster, real-time pattern
    matching with network traffic. All STIX and TAXII feeds are
    supported”

Adding External TI to FortiSIEM

The following are instructions to configure each of our data feeds on FortiSIEM version 6.4.0 (1412) using the web interface.

DNS-over-HTTPS (DoH) Domains

Benefits of the Malware Patrol DoH Data Feed

We developed this feed to help security teams monitor the use of DoH in their environment. Our tools actively search for new DoH servers on a continuous basis to keep this data fresh. DoH allows users to bypass the DNS-level controls and internet usage policies put in place to protect your network against known threats and threat actors are taking advantage of this by using DoH for C2 server connections, for example. As such, both incoming and outgoing DoH traffic should be closely monitored for indications of malicious activity.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol – DoH to distinguish this feed from the Malware Patrol Malicious Domains previously entered.

5) Click save. The Malware Patrol – DoH group will now appear under the Malware Domains section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the screen that pops up choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

  • URL of your Malware Patrol DoH feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

10) In the Data Mapping section, match the following:

  • Domain Name, Position 1
  • Description, Position 2
  • Last Seen, Position 3

11) Click Save

12) Click on the Schedule: + button

13) On the screen that pops up, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process to know which fields are available in the Malware Patrol feed.

Malicious Domains

Benefits of the Malware Patrol Malicious Domains Data Feed

This Malware Patrol feed contains domains actively involved in malicious activities. The data is derived from five of our Enterprise feeds: 1) Anti-Mining, 2) Command & Control (C2) Addresses, 3) Domain Names Generated via DGAs, 4) Malware & Ransomware URLs, and 5) Phishing URLs. Network traffic associated with these domains is highly likely to be malicious.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Domains section. 6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the screen that pops up choose Update via API.

9) Click on the edit (pencil) button for the URL.

10) Enter the following to set up the feed update:

  • URL of your Malware Patrol Malicious Domains feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

11) In the Data Mapping section, match the following:

  • Domain Name, Position 1
  • Malware Type, Position 2
  • Description, Position 3
  • Date Found, Position 4
  • Last Seen, Position 5

12) Click Save

13) Click on the Schedule: + button

14) On the screen that pops up, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

15) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

16) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.    

Malicious IPs

Benefits of the Malware Patrol Malicious IPs Data Feed

This feed contains IP addresses known to actively host malicious files and C2 systems for malware and ransomware. Monitoring traffic destined to them is an effective network protection measure and provides valuable information for threat hunting purposes.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware IPs from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware IPs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware IPs section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

  • URL of your Malware Patrol Malicious IPs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

10) In the Data Mapping section, match the following:

  • Name, Position 1
  • Low IP, Position 2
  • Malware Type, Position 3
  • Description, Position 4
  • Date Found, Position 5
  • Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

Malware Hashes

Benefits of the Malware Patrol Malware Hashes Data Feed

This feed contains the SHA-1 hashes of malware and ransomware samples currently available on the internet. Encountering these signatures in your environment is a sign of malicious activity.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Hash from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Hash group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Hash section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button..

9) Enter the following to set up the feed update:

  • URL of your Malware Patrol Malware Hashes feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

10) In the Data Mapping section, match the following:

  • Description, Position 1
  • Algorithm, Position 2
  • HashCode, Position 3
  • Malware Type, Position 4
  • Date Found, Position 5
  • Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

Malware URLs

Benefits of the Malware/Ransomware URLs Data Feed

This feed contains URLs known to be hosting malware binaries. It is updated hourly to remove inactive URLs and add newly detected ones. Correlating this feed with network traffic can pinpoint a potential malware infection.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware URLs from the menu on the left.

3) Click + button at the upper left-hand side of this menu to add a new Malware URLs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware URLs section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9)  Enter the following to set up the feed update:

  • URL of your Malware Patrol Malware URLs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

10) In the Data Mapping section, match the following:

  • URL, Position 1
  • Malware Type, Position 2
  • Last Seen, Position 3

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

 

If you need any assistance with your FortiSIEM integration, please email support (@) malwarepatrol.net or contact your Account Manager.

Mikrotik (Enterprise Customers)

Malware Patrol provides a version of our Enterprise Malicious IPs and Malicious Domains data feeds compatible with Mikrotik.

MikroTik is a Latvian company founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world. Our experience in using industry standard PC hardware and complete routing systems allowed us in 1997 to create the RouterOS software system that provides extensive stability, controls, and flexibility for all kinds of data interfaces and routing.”

You can follow these simple steps to configure your Mikrotik to filter malicious IPs and/or domains to protect your network, computers, and users from getting infected by malware and ransomware. This includes IPs and domains derived from C2s, DGAs and URLs hosting malware and ransomware binaries.

1) You will need the username and password provided to you by Malware Patrol. If you are evaluating, this will be your evaluation portal credentials. If you are a customer, you will use your account login details and portal URL.

2) Execute the following commands in Mikrotik’s CLI:

Malicious Domains

/system script  add name=”MP_UpdateMaliciousDomains” owner=”admin” policy=ftp,read,write dont-require-permissions=no source={
/tool fetch url=”https://_username_:[email protected]/feeds/files/MP_malicious_domains.mikrotik.rsc” mode=https

/ip firewall address-list remove [find where comment=”MP_Malicious_domain”]
/import file-name=MP_malicious_domains.mikrotik.rsc ;
}

/ip firewall filter add chain=forward action=drop protocol=tcp dst-address-list=MP_MaliciousDomains log=yes log-prefix=”Blocked_by_MP_MaliciousDomains”

/system scheduler add name=MP_UpdateMaliciousIPsFeed interval=1h on-event=MP_UpdateMaliciousIPs owner=admin policy=ftp,read,write

Malicious IPs

/system script add name=”MP_UpdateMaliciousIPs” owner=”admin” policy=ftp,read,write dont-require-permissions=no source={
/tool fetch url=https://_username_:[email protected]/feeds/files/MP_malicious_ips.mikrotik.rsc mode=https

/ip firewall address-list remove [find where list=MP_MaliciousIPs]
/import file-name=MP_malicious_ips.mikrotik.rsc;
}

/ip firewall filter add chain=forward action=drop protocol=tcp dst-address-list=MP_MaliciousIPs log=yes log-prefix=”Blocked_by_MP_MaliciousIPs”

/system scheduler add name=MP_UpdateMaliciousDomainsFeed interval=1h on-event=MP_UpdateMaliciousDomains owner=admin policy=ftp,read,write

The code above will create a script that downloads and updates the Malicious IPs and/or Malicious Domains list. The system scheduler portion will schedule the download and update processes to happen on an hourly basis. We advise this frequency because our lists are updated every hour.

If you encounter any difficulties during the configuration process, feel free to contact our tech support at support (@) malwarepatrol.net

Configuration guides for other systems can be found on our Tech Support page.

 

MineMeld (Enterprise Customers)

Palo Alto MineMeld is an extensible Threat Intelligence processing framework and the multi-tool of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks security platforms.”

This versatile tool can be used to grab data feeds of IPs, URLs and domains and aggregate, deduplicate, process it and output the final result in formats suitable to in Palo Alto Networks products. MineMeld can also be configured to send data to Splunk.

Malware Patrol has determined the steps required to allow our customers to utilize our data feeds on MineMeld. The following steps are required to create a “miner”, a “processor” and finally an “output”. The entire process follows the logic of creating and configuring “prototypes” based on existing entities and later cloning them. Keep this in mind and the logic will be clearer as we move forward through each step.

We have created a specific Enterprise data feed for MineMeld consumption. You can find its URL in the evaluation or customer portal. If you are a current customer, please contact your Sales Manager to have the feed added to your portal. This configuration guide shows how to extract URLs from that feed. The same logic can be applied to create new a “miner”, “processor” and “output” for other indicators contained in the feed.

1) If you don’t have MineMeld installed and configured yet, you can download a preconfigured a virtual machine or the software’s source code from Github. Please visit the following URLs for more details:

a. https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld
b. https://live.paloaltonetworks.com/t5/MineMeld-Articles/Manually-install-MineMeld-on-Ubuntu-Server-16-04/ta-p/253336

2) Once you successfully log in to MineMeld, click on “Config” to view the current list of “miners”, “processors” and “output”.

Palo Alto MineMeld

3) To configure a new “miner prototype” we will use an existing miner. Click the blue icon on the lower right corner of the screen – named ‘browse prototypes’. In the search field, type ‘ssla’ and once the list is updated, select ‘sslabusech.ipblacklist’.

Palo Alto MineMeld

4) Once the “miner” configuration is displayed, click on ‘new’.

Palo Alto MineMeld

5) Make the necessary changes to each field according to the following image. Special attention must be taken to the field ‘CONFIG’ and the line ‘url’. This must be filled with the URL of Malware Patrol’s data feed for MineMeld data feed. As explained previously the address can be found in your evaluation or customer portal. After properly populating the fields, click ‘ok’.

Palo Alto MineMeld

6) You will see the new “miner prototype” created, click on it.

Palo Alto MineMeld

7) When the “miner” loads, click on “clone”.

Palo Alto MineMeld

8) Fill the two fields as shown in the following screenshot and click ‘ok’.

Palo Alto MineMeld

9) The screen will show all the available items, including the new miner. Click on ‘commit’ to push the changes. Wait a few seconds as some components of MineMeld will be restarted.

Palo Alto MineMeld

10) Click on ‘nodes’ and use the search field to look for ‘malwarepatrol’. You should see the new “miner”. Pay close attention to ‘indicators’ that should show an increasing amount of items pulled from our data feed.

Palo Alto MineMeld

11) To create the “processor prototype”, click on ‘config’ and then the blue icon on the lower right corner of the screen – named ‘browse prototypes’. Search for ‘processor’. In the list displayed, click on ‘stdlib.aggregatorFileName’

Palo Alto MineMeld

12) Click ‘new’ and fill the form fields according to the following screenshot and click ‘ok’.

Palo Alto MineMeld

13) Once the list of “prototypes” is shown, click on the newly created one and choose ‘clone’. Fill the form according to the next screenshot.

Palo Alto MineMeld

14) Clicking on ‘config’ you should see a screen similar to the following:

MineMeld screen shot

15) Now to create an “output prototype”, click the blue icon on the lower right corner of the screen – named ‘browse prototypes’. Search for ‘output’ and in the list that will be displayed, click ‘stdlib.dagPusher’.

MineMeld screen shot

16) Fill the form fields as in the following screenshot and click ‘ok’.

MineMeld screen shot

17) In the list that will be displayed, click the newly created “prototype”.

MineMeld screen shot

18) Click ‘clone’.

MineMeld screen shot

19) At this point, the list displayed should contain one new item for a “miner”, “processor” and “output”. Click on ‘commit’ to make the changes effective. Wait a few seconds as some components of MineMeld will be restarted.

MineMeld screen shot

20) Click on ‘nodes’ and search for ‘malwarepatrol’. You should see the three newly created items and the count of ‘indicators’ increasing. That shows that data is flowing from our data feed into the “miner”, “processor” and finally made ready by the “output”.

MineMeld screen shot

21) Clicking on “output” you can see details including the URL of the finalized feed that can be consumed by Palo Alto Networks systems.

MineMeld screen shot

22) For information on MineMeld and how to connect it with other Palo Alto Networks products and Splunk, please visit the following URLs.

• Create Dynamic Firewall Rules Based on MineMeld Threat Feeds: https://www.virtualizationhowto.com/2018/12/create-dynamic-firewall-rules-based-on-minemeld-threat-feeds/
• Create a MineMeld input in Splunk: https://splunk.paloaltonetworks.com/autofocus-and-minemeld.html
• Quick tour of MineMeld default config: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Quick-tour-of-MineMeld-default-config/ta-p/72042
• Using MineMeld to Create a Custom Miner: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-Create-a-Custom-Miner/ta-p/227694
• Developer’s Guide: https://github.com/PaloAltoNetworks/minemeld/wiki/Developer’s-Guide

If you encounter any difficulties during the configuration process, feel free to contact our tech support at support(at)malwarepatrol.net. Configuration guides for other systems can be found on our Tech Support page.

MISP (Enterprise Customers)

MISP is a threat intelligence platform for gathering, sharing, storing and correlating indicators of compromise of targeted attacks, threat intelligence, financial fraud information and vulnerability information.

It can be configured to ingest MISP-formatted data feeds. To ingest the data provided by Malware Patrol following these steps:

1) In the customer portal or evaluation portal, search for the feed of interest. Once you find it, look for the “MISP compatible data feed” link. Right click on it and choose “Copy link location”.

2) Open your MISP instance and click on “Sync Actions / List Feeds”.

3) On the left menu, click “Add Feed”.

4) Fill the field “Name” as “Malware Patrol – _data_feed_name_” (for example: Malware Patrol – C2s). On “Provider” put “Malware Patrol”. Choose “Network” on “Input Source”.

5) The field “URL” should contain the link location you have copied from the customer portal or evaluation portal.

6) On “Source Format”, choose “MISP Feed”.

7) Click on “Add Basic Auth” and complete the fields with your “Username” and “Password” for the customer portal or evaluation portal. Then click on “Add Basic Auth Header”.

8) Adjust “Distribution”, “Default Tag” and “Filter rules” appropriately for your environment.

9) Click “Add”.

10) Back to the list of feeds, select the Malware Patrol data feed and click “Enable selected”.

11) Still in the list of feeds, for the Malware Patrol data feed, click in the last icon on the right named “Download”. Your MISP instance will download the current feed file, parse them and add to your instance.

Malware Patrol also provides data feeds via MISP server synchronization. Please contact your sales manager for details.

pfSense / pfBlockerNG (Business Protect Customers)

Malware Patrol provides block lists compatible with pfBlockerNG, a package for pfSense version 2.x that allows the usage of custom block list, IP filtering, and country block functionalities.

You can follow these simple steps to configure your pfBlockerNG to filter malicious URLs and protect the internal network, computers and users from getting infected by malware and ransomware.

1) Log in to pfSense GUI.

pfsense system  

2) Choose System > Package Manager.

pfsense system

 

 3) Choose Available packages then scroll down to pfBlockerNG and clock Save.

pfsense system

 

4) Once the package is installed, choose Firewall > pfBlockerNG.

pfsense system

 

5) On the General tab, enable the following options:

  • Enable pfBlockerNG

  • De-Duplication

  • CIDR Aggregation

  • Suppression

  • Global Logging (optional)

You may also need to adjust Interface/Rules Configuration depending on your set up.

pfsense system

 

6) Choose DNSBL from the pfBlockerNG menu. Check Enable DNSBL. And under IP Firewall Rule Setting select Deny Outbound. Click Save.

pfsense system

 

7) Click DNSBL Feeds then click +Add.

pfsense system

 

8) Enter Malware Patrol as the DNS GROUP Name.

9) Under DNSBL Source enter your URL for the pfBlockerNG block list provided by Malware Patrol. The address can be found by logging in to your account with Malware Patrol. Enter a label, MP-Aggressive for example and click +Add.

10) Set List Action to Unbound and Update Frequency to Every hour (for Malware Patrol Premium members only). Click Save.

pfsense system

 

11) Click Save.

pfsense system

 

12) Choose Update from the pfBlockerNG menu. Select the Select “Force” option and mark Update, then click Run.

pfsense system

 

13) The logs should present messages similar to the following:

pfsense system

 

If you experience any difficulties configuring pfBlockerNG with Malware Patrol’s block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net. Our special thanks to F34RInc for helping put together this configuration guide.

SpamAssassin (Business Protect Customers)

Malware Patrol provides block lists compatible with SpamAssassin.
Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email).

It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

Apache SpamAssassin is a project of the Apache Software Foundation (ASF).”
You can follow these simple steps to configure your SpamAssassin to filter malicious URLs and protect your network, computers, and users from getting infected by malware.

1) Make sure your SpamAssassin instance is installed and working properly. There are several resources on the Internet that can help you configure it in your platform. If you are experiencing trouble installing and configuring SpamAssassin, start at: https://spamassassin.apache.org/

2) On the server running SpamAssassin, create a file called malware_patrol_update.sh choosing where to place it, like:
# mkdir /root/sh
# vi /root/sh/malware_patrol_update.sh

3) Log into your account with Malware Patrol and look for SpamAssassin. Right click on “download” and select “Copy link location”. You will need this URL on the next step.

4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ with the URL you copied in the previous step:

wget --no-check-certificate -O /etc/mail/spamassassin/99_malware_patrol_blocklist.cf '_URL_YOU_JUST_COPIED_'

Feel free to customize the output filename. SpamAssassin configuration files are read in an alphanumerical order, meaning 70_*.cf will be read before 99_*.cf.

5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes.

6) Add the following line to the file and save it:

systemctl restart spamassassin.service

If Amavisd is used (so SpamAssassin is managed by it) use the following line instead and save it:

systemctl restart amavisd.service

7) Add execute permissions to the recently created file, executing this command:

# chmod +755 /root/sh/malware_patrol_update.sh

8) Execute the recently created file that will download the latest block list and restart SpamAssassin or Amavisd:

# /bin/sh /root/sh/malware_patrol_update.sh

9) Make sure the new file was correctly processed by SpamAssassin by running the following command:

# spamassassin -D --lint 2>&1 | grep "malware_patrol"
... dbg: config: read file /etc/mail/spamassassin/99_malware_patrol_blocklist.cf

10) You should now create a cron job to automatically update the Malware Patrol block list. The following command should be executed every hour:

/bin/sh /root/sh/malware_patrol_update.sh

Please choose minutes not close to 00, 01 and 59 for your cron job.

If you experience any difficulties configuring SpamAssassin to use Malware Patrol block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Special thanks to Malware Patrol user fRANz for writing this guide.

Squid3 Web Proxy (Business Protect Customers)

Squid is a proxy for the Web that provides extensive access control lists, reduces bandwidth consumption and improves response times by caching and reusing frequently requested web pages. It runs on most available operating systems, including Linux and Windows. It is licensed under the GNU GPL.

Malware Patrol provides block lists compatible with Squid3. You can follow these simple steps to configure your Squid instance and protect the internal network, computers and users from getting infected by malware.

1) Make sure your Squid3 instance is installed and working properly. There are several resources on the Internet that can help you configure Squid3 in your platform. If you are experiencing trouble installing and configuring Squid3, start at: http://www.squid-cache.org/.

2) On the server running Squid3, create a file called /etc/squid3/malware_patrol_update.sh. For example: vi /etc/squid3/malware_patrol_update.sh

3) Log into your account with Malware Patrol and look for Squid Web Proxy ACL. Right click on “download” and select “Copy link location”, you will need this URL on the next step.

4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ by the URL you have copied on the previous step: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_YOU_JUST_COPIED_’

5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes. For example: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘https://lists.malwarepatrol.net/cgi/getfile?receipt=01234567890&product=13&list=squid’

6) Add the following line to the file and save it: /usr/sbin/squid3 -k reconfigure

7) Add execute permissions to the recently created file, executing this command: chmod +755 /etc/squid3/malware_patrol_update.sh

8) Now we need to configure Squid3 to use the block list. Edit the file /etc/squid3/squid.conf. For example: vi /etc/squid3/squid.conf

9) Add the following lines to the file, at the appropriate sections:
acl malware url_regex -i “/etc/squid3/malware_patrol_blocklist”
http_access deny malware
deny_info http://www.malwarepatrol.net/denied.shtml malware

10) Execute the recently created file that will download the latest block list and restart Squid: /bin/sh /etc/squid3/malware_patrol_update.sh

11) Notice that Squid3 will take longer than usual to start because it needs to read thousands of entries that will protect you from malware infections.

12) You should now configure a cronjob to automatically update the Malware Patrol block list. The following command should be executed every hour: /bin/sh /etc/squid3/malware_patrol_update.sh. Please choose minutes not close to 00, 01 and 59.

If you experience any difficulties configuring Squid3 to use Malware Patrol block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

FAQs

Duplicate Entries

Our lists include what we call MBL ID, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the MBL_IDhelps us organize and debug the large amount of data in our lists.

The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there is more than one malware binary in the same directory or subdirectories under it. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example. So, each entry counts as a distinct malware and shows on data feeds.

If you find something else beyond this example that shows duplicate entries, please let us know!

False Positives

The quality of our data is very important to us. We ask that you send reports of false positives to fp (at) malwarepatrol.net. We will investigate promptly, update our database (if necessary), and let you know the results.

Please read this before submitting a false positive report:

We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of block lists to affect (block) the entire domain.

We understand that it is not always possible to block these mainstream websites. We have various options, depending on your subscription type, to help with whitelisting domains to which your users require access. See FAQ topic "Whitelisting" for more details.

Whitelisting

It is common knowledge in the security industry than many well-known and frequently used websites host malware (Google Drive, DropBox, GitHub). We understand, however, that it is not always possible to block these popular websites, particularly those used for work purposes. Malware Patrol has options, depending on your subscription type, to help you whitelist domains to which your users require access.

Enterprise:
Several enterprise feeds have Cisco Umbrella top domains removed from them (top 25,000 or 100,000 or 1,000,000 domains). Enterprise customers may use these versions instead of the full feed. For other Enterprise feeds we include the Cisco Umbrella domain ranking as a field to allow for whitelisting per the customer's specific needs.

Also, Enterprise feeds can be customized at no cost. This offer includes the option to have us remove specific domains from your feed, by Cisco Umbrella ranking or otherwise. Discuss your specific needs with your Account Manager.

Non-commercial blocklist:

Our download script to allow for domain exclusions. These will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like cat _filename_ | grep -v _domain_ > _new_file_name_ can remove entries.

For help automating the removal of domains from block lists, contact our tech support via email (support (@) malwarepatrol.net) and they will be happy to help. Please remember to mention the block list you use and how you download it.

How often are the feeds updated?

Each indicator is verified at least once daily. That means our systems visit each URL, for example, to make sure it is still hosting malware or otherwise considered to be malicious. DGAs are resolved four times per day.

We update most of our Enterprise feeds hourly by adding newly found entries and removing deactivated threats. Customers can find the update frequency in the data feed table in their portals.

The feeds below are updated at intervals other than hourly:

Real-time updates
- Bitcoin Transactions
- DDoS Attacks
- Malware Samples
- Phishing Screen Shots

Every 5 minutes
- DNS RPZ Firewall

Every 6 hours
- Bitcoin Blockchain Strings

Every 24 hours
- Anti-Mining

Business Protect data feeds are updated hourly.

Basic Defense blocklists are updated every 4 hours.

Does the data come in different formats?

The formats we currently offer are the most requested from our users because they work with many popular security tools.

Business Protect and non-commercial blocklists are only offered in the formats listed on their respective pages.

For Enterprise Feeds, however, we can usually customize them to fit your ingestion requirements at no additional cost. Just ask us!

How are malware samples validated?

Our system automatically downloads suspicious samples and applies a series of tests to identify if they are likely malicious. These tests include AV checks as well as proprietary tests to determine file characteristics, like PE headers and packers. This way, we can provide customers with samples that may not be classified as malware yet by AVs but are most likely malicious.

How is malware classified?

We use a mixture of systems to determine if samples are malicious or not. That includes our own classifications tools as well as information returned by multiple anti-virus systems. Once a sample is found to be bad, we use one of the classifications provided by AV vendors. Microsoft and Kaspersky are the most utilized, although others may be used.

Do I have to download whole data feed each time?

The data feeds contain all the available data, not just the data from the latest update. Our experience is that this strategy works better than “diffs” (differentials / updates) because no data is lost if any of our customers miss a download for some reason. We can compress the Enterprise feed files to save bandwidth.

Do you provide invoices?

We cannot provide invoices for Basic Defense subscriptions. Contact your account manager or support (@) malwarepatrol.net for Business Protect and Enterprise subscription invoices.

How big are your threat data gaps?

See for yourself.

InfoSec Articles (05/23/23 – 05/30/23)

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the...

InfoSec Articles (05/09/23 – 05/23/23)

Welcome to our bi-weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the...

InfoSec Articles (04/25/23 – 05/09/23)

Welcome to our bi-weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the...

InfoSec Articles (03/28/2023 – 04/25/2023)

Welcome to our bi-weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the...

InfoSec Articles (03/15/2023 – 03/28/2023)

Weekly our experts select relevant news in the cybersecurity industry. Over the last two weeks, we saw the "Earth Preta's Cyberespionage Campaign Hits Over 200" This study...

InfoSec Articles (02/28/2023 – 03/15/2023)

Weekly our experts select relevant news in the cybersecurity industry. Over the last two weeks, we saw the "New HiatusRAT Router Malware", "#StopRansomware: Royal...

InfoSec Articles (02/14/2023 – 02/28/2023)

Over the past two weeks, we saw the new blog from TrendMicro presenting "A deep dive into the evolution of ransomware - Part 1". Also more relevant news such as "Social...

InfoSec Articles (02/02/2023 – 02/14/2023)

Weekly our experts select relevant news in the cybersecurity industry. Over the last two weeks, we saw the "Researchers Uncover 700+ Malicious Open Source Packages". Also,...

InfoSec Articles (01/16/2023 – 02/02/2023)

Weekly our experts select relevant news in the cybersecurity industry. Over the last two weeks, we saw the "Hackers now use Microsoft OneNote attachments to spread malware"....

InfoSec Articles (01/04/2023 – 01/16/2023)

Weekly our experts select relevant news in the cybersecurity industry. Over the last two weeks, we saw the "Abuse of Telegram bots for credential phishing increased 800% in...

InfoSec Articles (12/19/2022 – 01/04/2023)

Over the past two weeks, we saw the "Microsoft research uncovers new Zerobot capabilities" and also, "IcedID Botnet Distributors Abuse Google PPC to Distribute Malware"....

Finding the Best Threat Intelligence Vendor

Everyone in our line of business wants to be considered the best threat intelligence vendor. The task of gathering and producing top-notch cyber threat...

InfoSec Articles (12/07/2022 – 12/19/2022)

Over the past two weeks, we saw "The Twelve Frauds of Christmas - Payment Diversion Fraud" which is a type of fraud where criminals target an individual to divert payments...

InfoSec Articles (11/22/2022 – 12/07/2022)

Over the past two weeks, we selected the cybersecurity highlights such as "Tractors vs. threat actors: How to hack a farm", "ChatGPT shows promise of using AI to write...

New OSINT Feeds: High Risk IPs – Risk Indicators – Tor Exit Nodes

Sharing is Caring To our industry's credit, there are many good OSINT feeds and data sharing platforms. Even better, they are relatively easy to find. A simple...

Stay Connected

Sign up to receive updates and cybersecurity news.
Newsletter - Sidebar