Malware Blocklist

The blocklist for the security-minded since 2005

Malware Patrol began over 15 years ago as a group sharing malicious URLs. We continue to collect, analyze, and monitor threats, and now offer commercial threat intelligence services as well as our original community malware blocklist.

Our malware blocklist is called Basic Defense. It contains a subset of our complete malware and ransomware URLs database. The data is for non-commercial use only. It cannot be used in any services provided to customers, such as managed security services. It can, however, be used internally by any type of organization, large or small.

The data is updated every 4 hours.
Each URL is visited daily to verify if the site is still hosting malicious content. It is removed from our list once safe or no longer active.
We offer formats compatible with commonly used security tools, such as ClamAV, SpamAssassin, and SquidGuard.

Our full malware and ransomware data set is sold as one of our 15+ commercial feeds.

We offer three FREE OSINT/honeypot and research-based feeds. They are JSON formatted and include a variety of indicators along with relevant metadata.

Participate and Protect Others

Subscription options are below. Once you subscribe, check out our configuration guides below for help setting up your favorite tool to work with the blocklist. If you need help, you can reach our tech team by sending a message to support (@) malwarepatrol.net.

Note: We offer very limited support for Basic Defense. Responses may take several days, depending on availability. We appreciate your patience as we do the best we can - there are THOUSANDS of blocklist subscribers. Our commercial customers receive priority support.

You can send suspicious emails and URLs to void@malware.com.br or set up a spam trap. All submissions are verified hourly and any new malicious URLs will be added immediately. A single submission could help protect thousands of users!

Blocklist Subscription Options

Basic Defense

Educational Organization

Includes malware and ransomware URLs, updated every 4 hours with new threats. Non-commercial use only. The subscription fees help us maintain our infrastructure. Options listed below.

Educational Organization

Educational organizations can receive free Basic Defense subscriptions for the protection of their internal users and networks. Request your organization's account here. (Sorry, students and researchers are not eligible.)

Configuration Guides

ClamAV (All Customers)

“ClamAV is an open source ant-virus engine for detecting trojans, viruses, malware & other malicious threats.”

Malware Patrol provides signatures compatible with ClamAV. You can follow these simple steps to configure your ClamAV instance and protect the internal network, computers and users from getting infected by malware.

1) Make sure your ClamAV instance is installed and working properly. There are several resources on the Internet that can help you configure ClamAV in your platform. If you are experiencing trouble installing and configuring ClamAV, start at: http://www.clamav.net/documents/installing-clamav. You should also be able to use distribution specific tools like apt-get and yum to install ClamAV. For example: apt-get install clamav.

If you have Extremeshok’s clamav-unofficial-sigs properly installed, skip to step 14.

2) Install curl. For example: apt-get install curl

3) Install rsync. For example: apt-get install rsync

4) Install unzip. For example: apt-get install unzip

5) cd /tmp

6) wget -O clamav-unofficial-sigs.zip ‘https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip’

7) unzip /tmp/clamav-unofficial-sigs.zip

8) cp /tmp/clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/bin

9) chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh

10) mkdir -p /etc/clamav-unofficial-sigs

11) cp /tmp/clamav-unofficial-sigs-master/config/master.conf /etc/clamav-unofficial-sigs/

12) cp /tmp/clamav-unofficial-sigs-master/config/user.conf /etc/clamav-unofficial-sigs/

13) cd /etc/clamav-unofficial-sigs/

14) edit /etc/clamav-unofficial-sigs/master.conf appropriately

malwarepatrol_enabled=”yes”

malwarepatrol_receipt_code=”YOUR-RECEIPT-NUMBER”

malwarepatrol_product_code=”32″

Use 32 if you have a Free Guard account, 34 for Basic Defense monthly, 33 for Basic Defense yearly, and 37 for Basic Defense EDU/Contributor (Free) accounts.

malwarepatrol_list=”clamav_basic” # clamav_basic or clamav_ext

malwarepatrol_free=”yes”

Set to yes if you have a Free Guard account or no if you are a Basic Defense customer.

clam_user=”clamav”

clam_group=”clamav”

user_configuration_complete=”yes”

15) Clean unnecessary files: rm -rf /tmp/clamav-unofficial-sigs*

16) Execute the first update: /usr/local/bin/clamav-unofficial-sigs.sh

17) Configure a new cronjob to update ClamAV signatures every hour: MM * * * * /usr/local/bin/clamav-unofficial-sigs.sh

If you experience any difficulties configuring ClamAV to use Blocklists by Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

pfSense / pfBlockerNG (Basic Defense Customers)

Malware Patrol provides a blocklist compatible with pfBlockerNG, a package for pfSense version 2.x that allows the usage of custom blocklist, IP filtering, and country block functionalities.

You can follow these simple steps to configure your pfBlockerNG to filter malicious URLs and protect the internal network, computers and users from getting infected by malware and ransomware.

1) Log in to pfSense GUI.

2) Choose System > Package Manager.

3) Choose Available packages then scroll down to pfBlockerNG and clock Save.

4) Once the package is installed, choose Firewall > pfBlockerNG.

5) On the General tab, enable the following options:

Enable pfBlockerNG
De-Duplication
CIDR Aggregation
Suppression
Global Logging (optional)

You may also need to adjust Interface/Rules Configuration depending on your set up.

6) Choose DNSBL from the pfBlockerNG menu. Check Enable DNSBL. And under IP Firewall Rule Setting select Deny Outbound. Click Save.

7) Click DNSBL Feeds then click +Add.

8) Enter Malware Patrol as the DNS GROUP Name.

9) Under DNSBL Source enter your URL for the pfBlockerNG blocklist provided by Malware Patrol. The address can be found by logging in to your account with Malware Patrol. Enter a label, MP-Aggressive for example and click +Add.

10) Set List Action to Unbound and Update Frequency to Every hour (for Malware Patrol Premium members only). Click Save.

11) Click Save.

12) Choose Update from the pfBlockerNG menu. Select the Select “Force” option and mark Update, then click Run.

If you experience any difficulties configuring pfBlockerNG with Malware Patrol’s blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

Our special thanks to F34RInc for helping put together this configuration guide.

SpamAssassin (All Customers)

“Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email).
It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

Apache SpamAssassin is a project of the Apache Software Foundation (ASF).”

You can follow these simple steps to configure your SpamAssassin to filter malicious URLs and protect your network, computers, and users from getting infected by malware.

1) Make sure your SpamAssassin instance is installed and working properly. There are several resources on the Internet that can help you configure it in your platform. If you are experiencing trouble installing and configuring SpamAssassin, start at: https://spamassassin.apache.org/

2) On the server running SpamAssassin, create a file called malware_patrol_update.sh choosing where to place it, like:
# mkdir /root/sh # vi /root/sh/malware_patrol_update.sh

3) Log into your account with Malware Patrol and look for SpamAssassin. Right click on “download” and select “Copy link location”. You will need this URL on the next step.

4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ with the URL you copied in the previous step:

wget --no-check-certificate -O /etc/mail/spamassassin/99_malware_patrol_blocklist.cf '_URL_YOU_JUST_COPIED_'

Feel free to customize the output filename. SpamAssassin configuration files are read in an alphanumerical order, meaning 70_*.cf will be read before 99_*.cf.

5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes.

6) Add the following line to the file and save it:

systemctl restart spamassassin.service

If Amavisd is used (so SpamAssassin is managed by it) use the following line instead and save it:

systemctl restart amavisd.service

7) Add execute permissions to the recently created file, executing this command:

# chmod +755 /root/sh/malware_patrol_update.sh

8) Execute the recently created file that will download the latest block list and restart SpamAssassin or Amavisd:

# /bin/sh /root/sh/malware_patrol_update.sh

9) Make sure the new file was correctly processed by SpamAssassin by running the following command:

# spamassassin -D --lint 2>&1 | grep "malware_patrol" ... dbg: config: read file /etc/mail/spamassassin/99_malware_patrol_blocklist.cf

10) You should now create a cron job to automatically update the Malware Patrol blocklist. The following command should be executed every hour:

/bin/sh /root/sh/malware_patrol_update.sh

Please choose minutes not close to 00, 01 and 59 for your cron job.

If you experience any difficulties configuring SpamAssassin to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

Special thanks to Malware Patrol user fRANz for writing this guide.

Squid3 Web Proxy (Basic Defense Customers)

Squid is a proxy for the Web that provides extensive access control lists, reduces bandwidth consumption and improves response times by caching and reusing frequently requested web pages. It runs on most available operating systems, including Linux and Windows. It is licensed under the GNU GPL.

Malware Patrol provides blocklists compatible with Squid3. You can follow these simple steps to configure your Squid instance and protect the internal network, computers and users from getting infected by malware.

1) Make sure your Squid3 instance is installed and working properly. There are several resources on the Internet that can help you configure Squid3 in your platform. If you are experiencing trouble installing and configuring Squid3, start at:

http://www.squid-cache.org/.

2) On the server running Squid3, create a file called /etc/squid3/malware_patrol_update.sh. For example: vi /etc/squid3/malware_patrol_update.sh

3) Log into your account with Malware Patrol and look for Squid Web Proxy ACL.

Right click on “download” and select “Copy link location”, you will need this URL on the next step.

4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ by the URL you have copied on the previous step: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_YOU_JUST_COPIED_’

5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes. For example: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘https://lists.malwarepatrol.net/cgi/getfile?receipt=01234567890&product=13&list=squid’

6) Add the following line to the file and save it: /usr/sbin/squid3 -k reconfigure

7) Add execute permissions to the recently created file, executing this command: chmod +755 /etc/squid3/malware_patrol_update.sh

8) Now we need to configure Squid3 to use the block list. Edit the file /etc/squid3/squid.conf. For example: vi /etc/squid3/squid.conf

9) Add the following lines to the file, at the appropriate sections:
acl malware url_regex -i “/etc/squid3/malware_patrol_blocklist”
http_access deny malware
deny_info http://www.malwarepatrol.net/denied.shtml malware

10) Execute the recently created file that will download the latest block list and restart Squid: /bin/sh /etc/squid3/malware_patrol_update.sh

11) Notice that Squid3 will take longer than usual to start because it needs to read thousands of entries that will protect you from malware infections.

12) You should now configure a cronjob to automatically update the Malware Patrol block list. The following command should be executed every hour: /bin/sh /etc/squid3/malware_patrol_update.sh. Please choose minutes not close to 00, 01 and 59.

If you experience any difficulties configuring Squid3 to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

Hermes SEG (All Customers)

“Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) Email Gateway that provides Spam, Virus and Malware protection, full in-transit and at-rest email encryption as well as email archiving.

Hermes Secure Email Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization.

It can be deployed to protect your in-house email solution as well as cloud email solutions such as Google Mail and Microsoft Office 365.

Hermes SEG supports the integration of the following 3rd party signature feeds:

Linux Malware Detect
Malware Patrol
Sanesecurity
SecuriteInfo
YaraRules"

Click below to access the configuration guide for Malware Patrol’s feeds, written and maintained by Hermes SEG. (Thanks deezteK!)

Vendor Configuration Guide

FAQs

Duplicate entries

Our lists include what we call “MBL ID”, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the “MBL_ID” helps us organize and debug the large amount of data in the lists.

The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there are multiple malware samples hosted in a website’s directory. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example.

False positives / whitelisting domains

The quality of our data is very important to us. We ask that you send reports of false positives to fp (@) malwarepatrol.net. We will investigate promptly, update our database if necessary, and let you know the results.

Please read this before submitting a report:

We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of blocklists to affect (block) the entire domain.

We understand that it is not always possible to block very popular websites. To help our customers in this situation, we modified our download script to allow for domain exclusions. These will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like ‘cat _filename_ | grep -v _domain_ > _new_file_name_’ can remove entries.

For help automating the removal of domains from blocklists, contact our tech support via email: support (@) malwarepatrol.net – and they will be happy to help. Please remember to mention the blocklist you use and how you download it.

How can I automate data downloads?

There are multiple ways to automate the download and ingestion of our blocklists. Specifics depend on your operating system, environment and use of the data. As most of our customers utilize the data in *nix environments, the common tools used for automation are ‘wget’ and ‘curl’. A basic ‘wget’ command to download a blocklist looks like the following:

wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_COPIED_FROM_YOUR_CUSTOMER_PORTAL_’

The download and ingestion of the data by whatever software you use also require the operating system to frequently perform these tasks. For that, ‘cron’ is the choice of most of our customers.

Error message while downloading data

Error messages:

# Your access was denied.

# You may have supplied a wrong password, your subscription may have expired or you may not have access to this resource.

The most likely cause of your problem is that you are running wget in a Linux shell and did no enclose the URL in single or double quotes. Therefore, the shell understands the ampersand (&) sign as an indication that part of the command should be sent to the background and the URL is broken.

Try the following command instead, for example, to download a ClamAV blocklist:

wget –no-check-certificate -O /var/lib/clamav/malwarepatrol.db

‘https://lists.malwarepatrol.net/cgi/getfile?receipt=_receipt_number_&product=_product_id_&list=clamav_ext’

Accessing blocklists from multiple IPs

There are no restrictions in the number of IP addresses from which you can download the blocklists.

Do you provide invoices?

Sorry, we cannot provide invoices for Basic Defense subscriptions.

Malware Blocklist

The blocklist for the security-minded since 2005

Account Access

Participate and Protect Others

Commercial User?