The Malware Blocklist is distributed by Malware Patrol. Malware Patrol began over 15 years ago as a group sharing malicious URLs. Now a community of users and more active than ever, we continue to collect, analyze, and monitor threats.
Malware Patrol gladly provides resources to collect and distribute our community’s data because we believe that information sharing is one of the most effective ways to fight cyber threats. There are both free and paid versions of the malware and ransomware URL list - the Malware Blocklist. The list is available in formats compatible with several of the most commonly used security tools, such as ClamAV, SpamAssassin, and SquidGuard.
The data is for non-commercial use only. It cannot be used in any services provided to customers, such as managed security services. They can, however, be used internally by any type of organization, large or small.
Subscription options are below. Once you subscribe, check out our configuration guides below for help setting up your favorite tool to work with the blocklists. If you need help, you can reach our tech team by sending a message to support (@) malwarepatrol.net.
Also, please send your suspicious emails and URLs to firstname.lastname@example.org or set up a spam trap. All submissions are verified hourly and any new malicious URLs will be immediately added. A single submission could help protect thousands of users!
Check out Malware Patrol's threat intelligence offerings if you want to use this data to protect customers. We also have a much larger database of malware and ransomware URLs, as well as IoCs related to phishing, DGAs, C2s, malware samples, cryptomining and more.
Includes the last 7 days of malware URLs from our database, updated EVERY 72 HOURS. Available in the formats listed below. This data is for non-commercial use by any individual, group or organization.
Includes the last 15 days of malware URLs from our database, updated EVERY 4 HOURS. Non-commercial use only. The subscription fees help us maintain our infrastructure. Options listed below.
Educational organizations and regular contributors qualify for free subscriptions to our Basic Defense Blocklists for the protection of their internal users and networks. Request your account here.
Free. Registration Required.
$4.19 USD per month. Cancel anytime.
$39.99 per year. Cancel anytime.
We offer free lifetime Basic Defense blocklist subscriptions (valued at $40/year) to the following:
For security teams to protect your organization’s internal networks and users. (Sorry, students or researchers are not eligible.) Request here.
Configuration guide authors
Write instructions for a tool/system/platform that not already listed on this page and submit to us.
“ClamAV is an open source ant-virus engine for detecting trojans, viruses, malware & other malicious threats.”
Malware Patrol provides signatures compatible with ClamAV. You can follow these simple steps to configure your ClamAV instance and protect the internal network, computers and users from getting infected by malware.
1) Make sure your ClamAV instance is installed and working properly. There are several resources on the Internet that can help you configure ClamAV in your platform. If you are experiencing trouble installing and configuring ClamAV, start at: http://www.clamav.net/documents/installing-clamav. You should also be able to use distribution specific tools like apt-get and yum to install ClamAV. For example: apt-get install clamav.
If you have Extremeshok’s clamav-unofficial-sigs properly installed, skip to step 14.
2) Install curl. For example: apt-get install curl
3) Install rsync. For example: apt-get install rsync
4) Install unzip. For example: apt-get install unzip
5) cd /tmp
6) wget -O clamav-unofficial-sigs.zip ‘https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip’
7) unzip /tmp/clamav-unofficial-sigs.zip
8) cp /tmp/clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/bin
9) chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh
10) mkdir -p /etc/clamav-unofficial-sigs
11) cp /tmp/clamav-unofficial-sigs-master/config/master.conf /etc/clamav-unofficial-sigs/
12) cp /tmp/clamav-unofficial-sigs-master/config/user.conf /etc/clamav-unofficial-sigs/
13) cd /etc/clamav-unofficial-sigs/
14) edit /etc/clamav-unofficial-sigs/master.conf appropriately
Use 32 if you have a Free Guard account, 34 for Basic Defense monthly, 33 for Basic Defense yearly, and 37 for Basic Defense EDU/Contributor (Free) accounts.
malwarepatrol_list=”clamav_basic” # clamav_basic or clamav_ext
Set to yes if you have a Free Guard account or no if you are a Basic Defense customer.
15) Clean unnecessary files: rm -rf /tmp/clamav-unofficial-sigs*
16) Execute the first update: /usr/local/bin/clamav-unofficial-sigs.sh
17) Configure a new cronjob to update ClamAV signatures every hour: MM * * * * /usr/local/bin/clamav-unofficial-sigs.sh
If you experience any difficulties configuring ClamAV to use Blocklists by Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Malware Patrol provides a blocklist compatible with pfBlockerNG, a package for pfSense version 2.x that allows the usage of custom blocklist, IP filtering, and country block functionalities.
You can follow these simple steps to configure your pfBlockerNG to filter malicious URLs and protect the internal network, computers and users from getting infected by malware and ransomware.
1) Log in to pfSense GUI.
2) Choose System > Package Manager.
3) Choose Available packages then scroll down to pfBlockerNG and clock Save.
4) Once the package is installed, choose Firewall > pfBlockerNG.
5) On the General tab, enable the following options:
You may also need to adjust Interface/Rules Configuration depending on your set up.
6) Choose DNSBL from the pfBlockerNG menu. Check Enable DNSBL. And under IP Firewall Rule Setting select Deny Outbound. Click Save.
7) Click DNSBL Feeds then click +Add.
8) Enter Malware Patrol as the DNS GROUP Name.
9) Under DNSBL Source enter your URL for the pfBlockerNG blocklist provided by Malware Patrol. The address can be found by logging in to your account with Malware Patrol. Enter a label, MP-Aggressive for example and click +Add.
10) Set List Action to Unbound and Update Frequency to Every hour (for Malware Patrol Premium members only). Click Save.
11) Click Save.
12) Choose Update from the pfBlockerNG menu. Select the Select “Force” option and mark Update, then click Run.
If you experience any difficulties configuring pfBlockerNG with Malware Patrol’s blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Our special thanks to F34RInc for helping put together this configuration guide.
“Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email).
It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.
Apache SpamAssassin is a project of the Apache Software Foundation (ASF).”
You can follow these simple steps to configure your SpamAssassin to filter malicious URLs and protect your network, computers, and users from getting infected by malware.
1) Make sure your SpamAssassin instance is installed and working properly. There are several resources on the Internet that can help you configure it in your platform. If you are experiencing trouble installing and configuring SpamAssassin, start at: https://spamassassin.apache.org/
2) On the server running SpamAssassin, create a file called malware_patrol_update.sh choosing where to place it, like:
# mkdir /root/sh # vi /root/sh/malware_patrol_update.sh
3) Log into your account with Malware Patrol and look for SpamAssassin. Right click on “download” and select “Copy link location”. You will need this URL on the next step.
4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ with the URL you copied in the previous step:
wget --no-check-certificate -O /etc/mail/spamassassin/99_malware_patrol_blocklist.cf '_URL_YOU_JUST_COPIED_'
Feel free to customize the output filename. SpamAssassin configuration files are read in an alphanumerical order, meaning 70_*.cf will be read before 99_*.cf.
5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes.
6) Add the following line to the file and save it:
systemctl restart spamassassin.service
If Amavisd is used (so SpamAssassin is managed by it) use the following line instead and save it:
systemctl restart amavisd.service
7) Add execute permissions to the recently created file, executing this command:
# chmod +755 /root/sh/malware_patrol_update.sh
8) Execute the recently created file that will download the latest block list and restart SpamAssassin or Amavisd:
# /bin/sh /root/sh/malware_patrol_update.sh
9) Make sure the new file was correctly processed by SpamAssassin by running the following command:
# spamassassin -D --lint 2>&1 | grep "malware_patrol" ... dbg: config: read file /etc/mail/spamassassin/99_malware_patrol_blocklist.cf
10) You should now create a cron job to automatically update the Malware Patrol blocklist. The following command should be executed every hour:
Please choose minutes not close to 00, 01 and 59 for your cron job.
If you experience any difficulties configuring SpamAssassin to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Special thanks to Malware Patrol user fRANz for writing this guide.
Squid is a proxy for the Web that provides extensive access control lists, reduces bandwidth consumption and improves response times by caching and reusing frequently requested web pages. It runs on most available operating systems, including Linux and Windows. It is licensed under the GNU GPL.
Malware Patrol provides blocklists compatible with Squid3. You can follow these simple steps to configure your Squid instance and protect the internal network, computers and users from getting infected by malware.
1) Make sure your Squid3 instance is installed and working properly. There are several resources on the Internet that can help you configure Squid3 in your platform. If you are experiencing trouble installing and configuring Squid3, start at:
2) On the server running Squid3, create a file called /etc/squid3/malware_patrol_update.sh. For example: vi /etc/squid3/malware_patrol_update.sh
3) Log into your account with Malware Patrol and look for Squid Web Proxy ACL.
Right click on “download” and select “Copy link location”, you will need this URL on the next step.
4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ by the URL you have copied on the previous step: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_YOU_JUST_COPIED_’
5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes. For example: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘https://lists.malwarepatrol.net/cgi/getfile?receipt=01234567890&product=13&list=squid’
6) Add the following line to the file and save it: /usr/sbin/squid3 -k reconfigure
7) Add execute permissions to the recently created file, executing this command: chmod +755 /etc/squid3/malware_patrol_update.sh
8) Now we need to configure Squid3 to use the block list. Edit the file /etc/squid3/squid.conf. For example: vi /etc/squid3/squid.conf
9) Add the following lines to the file, at the appropriate sections:
acl malware url_regex -i “/etc/squid3/malware_patrol_blocklist”
http_access deny malware
deny_info http://www.malwarepatrol.net/denied.shtml malware
10) Execute the recently created file that will download the latest block list and restart Squid: /bin/sh /etc/squid3/malware_patrol_update.sh
11) Notice that Squid3 will take longer than usual to start because it needs to read thousands of entries that will protect you from malware infections.
12) You should now configure a cronjob to automatically update the Malware Patrol block list. The following command should be executed every hour: /bin/sh /etc/squid3/malware_patrol_update.sh. Please choose minutes not close to 00, 01 and 59.
If you experience any difficulties configuring Squid3 to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
“Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) Email Gateway that provides Spam, Virus and Malware protection, full in-transit and at-rest email encryption as well as email archiving.
Hermes Secure Email Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization.
It can be deployed to protect your in-house email solution as well as cloud email solutions such as Google Mail and Microsoft Office 365.
Hermes SEG supports the integration of the following 3rd party signature feeds:
Click below to access the configuration guide for Malware Patrol’s feeds, written and maintained by Hermes SEG. (Thanks deezteK!)
Our lists include what we call “MBL ID”, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the “MBL_ID” helps us organize and debug the large amount of data in the lists.
The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there are multiple malware samples hosted in a website’s directory. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example.
The quality of our data is very important to us. We ask that you send reports of false positives to fp (@) malwarepatrol.net. We will investigate promptly, update our database if necessary, and let you know the results.
Please read this before submitting a report:
We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of blocklists to affect (block) the entire domain.
We understand that it is not always possible to block very popular websites. To help our customers in this situation, we modified our download script to allow for domain exclusions. These will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like ‘cat _filename_ | grep -v _domain_ > _new_file_name_’ can remove entries.
For help automating the removal of domains from blocklists, contact our tech support via email: support (@) malwarepatrol.net – and they will be happy to help. Please remember to mention the blocklist you use and how you download it.
There are multiple ways to automate the download and ingestion of our blocklists. Specifics depend on your operating system, environment and use of the data. As most of our customers utilize the data in *nix environments, the common tools used for automation are ‘wget’ and ‘curl’. A basic ‘wget’ command to download a blocklist looks like the following:
wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_COPIED_FROM_YOUR_CUSTOMER_PORTAL_’
The download and ingestion of the data by whatever software you use also require the operating system to frequently perform these tasks. For that, ‘cron’ is the choice of most of our customers.
# Your access was denied.
# You may have supplied a wrong password, your subscription may have expired or you may not have access to this resource.
The most likely cause of your problem is that you are running wget in a Linux shell and did no enclose the URL in single or double quotes. Therefore, the shell understands the ampersand (&) sign as an indication that part of the command should be sent to the background and the URL is broken.
Try the following command instead, for example, to download a ClamAV blocklist:
wget –no-check-certificate -O /var/lib/clamav/malwarepatrol.db
There are no restrictions in the number of IP addresses from which you can download the blocklists.
Sorry, we cannot provide invoices for Basic Defense subscriptions.