Protect Against Malware & Ransomware
Malware Patrol began almost two decades ago as a group sharing malicious URLs. We continue to collect, analyze, and monitor threats, and now offer commercial threat intelligence services as well as our original community malware blocklist, Basic Defense.
Basic Defense contains a very small subset of our complete malware and ransomware URLs database. The data is for non-commercial use only. It cannot be used in any services provided to customers, such as managed security services. It can, however, be used internally by any type of organization, large or small.
Our full malware and ransomware data set is sold as one of our many commercial feeds.
We offer three FREE OSINT/honeypot and research-based feeds that include a variety of indicators (hashes, email addresses, IPs, CVEs) along with relevant metadata.
Subscription options are below. Check out our configuration guides for help setting up your favorite tool to work with the blocklist. If you need help, you can reach our tech team by sending a message to support (@) malwarepatrol.net.
You can also send suspicious emails and URLs to void@malware.com.br or set up a spam trap. All submissions are verified hourly and any new malicious URLs will be added immediately. A single submission could help protect thousands of users!
Note: We offer very limited support for Basic Defense. Responses may take several days, depending on availability. We appreciate your patience as we do the best we can - there are many blocklist subscribers. Our commercial customers receive priority support.
Check out Malware Patrol's commercial threat intelligence solutions if you need data to protect customers. We offer data feeds of command-and-control servers, cryptojacking sites, malicious domains & IPs, malware samples (binaries), newly registered domains, phishing, and more.
Malware and ransomware URLs, updated every 4 hours with new threats. Non-commercial use only. Two subscription options.
Educational organizations can receive a free Basic Defense subscription to help protect their internal users and networks. Request your organization's account here. (Sorry, students and researchers are not eligible.)
“ClamAV is an open source ant-virus engine for detecting trojans, viruses, malware & other malicious threats.”
Malware Patrol provides signatures compatible with ClamAV. You can follow these simple steps to configure your ClamAV instance and protect the internal network, computers and users from getting infected by malware.
1) Make sure your ClamAV instance is installed and working properly. There are several resources on the Internet that can help you configure ClamAV in your platform. If you are experiencing trouble installing and configuring ClamAV, start at: http://www.clamav.net/documents/installing-clamav. You should also be able to use distribution specific tools like apt-get and yum to install ClamAV. For example: apt-get install clamav.
If you have Extremeshok’s clamav-unofficial-sigs properly installed, skip to step 14.
2) Install curl. For example: apt-get install curl
3) Install rsync. For example: apt-get install rsync
4) Install unzip. For example: apt-get install unzip
5) cd /tmp
6) wget -O clamav-unofficial-sigs.zip ‘https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip’
7) unzip /tmp/clamav-unofficial-sigs.zip
8) cp /tmp/clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/bin
9) chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh
10) mkdir -p /etc/clamav-unofficial-sigs
11) cp /tmp/clamav-unofficial-sigs-master/config/master.conf /etc/clamav-unofficial-sigs/
12) cp /tmp/clamav-unofficial-sigs-master/config/user.conf /etc/clamav-unofficial-sigs/
13) cd /etc/clamav-unofficial-sigs/
14) edit /etc/clamav-unofficial-sigs/master.conf appropriately
malwarepatrol_enabled=”yes”
malwarepatrol_receipt_code=”YOUR-RECEIPT-NUMBER”
malwarepatrol_product_code=”32″
Use 32 if you have a Free Guard account, 34 for Basic Defense monthly, 33 for Basic Defense yearly, and 37 for Basic Defense EDU/Contributor (Free) accounts.
malwarepatrol_list=”clamav_basic” # clamav_basic or clamav_ext
malwarepatrol_free=”yes”
Set to yes if you have a Free Guard account or no if you are a Basic Defense customer.
clam_user=”clamav”
clam_group=”clamav”
user_configuration_complete=”yes”
15) Clean unnecessary files: rm -rf /tmp/clamav-unofficial-sigs*
16) Execute the first update: /usr/local/bin/clamav-unofficial-sigs.sh
17) Configure a new cronjob to update ClamAV signatures every hour: MM * * * * /usr/local/bin/clamav-unofficial-sigs.sh
If you experience any difficulties configuring ClamAV to use Blocklists by Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
“Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email). It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.Apache SpamAssassin is a project of the Apache Software Foundation (ASF).”
You can follow these simple steps to configure your SpamAssassin to filter malicious URLs and protect your network, computers, and users from getting infected by malware.
1) Make sure your SpamAssassin instance is installed and working properly. There are several resources on the Internet that can help you configure it in your platform. If you are experiencing trouble installing and configuring SpamAssassin, start at: https://spamassassin.apache.org/
2) On the server running SpamAssassin, create a file called malware_patrol_update.sh choosing where to place it, like:
# mkdir /root/sh # vi /root/sh/malware_patrol_update.sh
3) Log into your account with Malware Patrol and look for SpamAssassin. Right click on “download” and select “Copy link location”. You will need this URL on the next step.
4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ with the URL you copied in the previous step:
wget --no-check-certificate -O /etc/mail/spamassassin/99_malware_patrol_blocklist.cf '_URL_YOU_JUST_COPIED_'
Feel free to customize the output filename. SpamAssassin configuration files are read in an alphanumerical order, meaning 70_*.cf will be read before 99_*.cf.
5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes.
6) Add the following line to the file and save it:
systemctl restart spamassassin.service
If Amavisd is used (so SpamAssassin is managed by it) use the following line instead and save it:
systemctl restart amavisd.service
7) Add execute permissions to the recently created file, executing this command:
# chmod +755 /root/sh/malware_patrol_update.sh
8) Execute the recently created file that will download the latest block list and restart SpamAssassin or Amavisd:
# /bin/sh /root/sh/malware_patrol_update.sh
9) Make sure the new file was correctly processed by SpamAssassin by running the following command:
# spamassassin -D --lint 2>&1 | grep "malware_patrol" ... dbg: config: read file /etc/mail/spamassassin/99_malware_patrol_blocklist.cf
10) You should now create a cron job to automatically update the Malware Patrol blocklist. The following command should be executed every hour:
/bin/sh /root/sh/malware_patrol_update.sh
Please choose minutes not close to 00, 01 and 59 for your cron job.
If you experience any difficulties configuring SpamAssassin to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Special thanks to Malware Patrol user fRANz for writing this guide.
Squid is a proxy for the Web that provides extensive access control lists, reduces bandwidth consumption and improves response times by caching and reusing frequently requested web pages. It runs on most available operating systems, including Linux and Windows. It is licensed under the GNU GPL.
Malware Patrol provides blocklists compatible with Squid3. You can follow these simple steps to configure your Squid instance and protect the internal network, computers and users from getting infected by malware.
1) Make sure your Squid3 instance is installed and working properly. There are several resources on the Internet that can help you configure Squid3 in your platform. If you are experiencing trouble installing and configuring Squid3, start at:
2) On the server running Squid3, create a file called /etc/squid3/malware_patrol_update.sh. For example: vi /etc/squid3/malware_patrol_update.sh
3) Log into your account with Malware Patrol and look for Squid Web Proxy ACL.
Right click on “download” and select “Copy link location”, you will need this URL on the next step.
4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ by the URL you have copied on the previous step: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_YOU_JUST_COPIED_’
5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes. For example: wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘https://lists.malwarepatrol.net/cgi/getfile?receipt=01234567890&product=13&list=squid’
6) Add the following line to the file and save it: /usr/sbin/squid3 -k reconfigure
7) Add execute permissions to the recently created file, executing this command: chmod +755 /etc/squid3/malware_patrol_update.sh
8) Now we need to configure Squid3 to use the block list. Edit the file /etc/squid3/squid.conf. For example: vi /etc/squid3/squid.conf
9) Add the following lines to the file, at the appropriate sections:
acl malware url_regex -i “/etc/squid3/malware_patrol_blocklist”
http_access deny malware
deny_info http://www.malwarepatrol.net/denied.shtml malware
10) Execute the recently created file that will download the latest block list and restart Squid: /bin/sh /etc/squid3/malware_patrol_update.sh
11) Notice that Squid3 will take longer than usual to start because it needs to read thousands of entries that will protect you from malware infections.
12) You should now configure a cronjob to automatically update the Malware Patrol block list. The following command should be executed every hour: /bin/sh /etc/squid3/malware_patrol_update.sh. Please choose minutes not close to 00, 01 and 59.
If you experience any difficulties configuring Squid3 to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Our lists include what we call “MBL ID”, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the “MBL_ID” helps us organize and debug the large amount of data in the lists.
The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there are multiple malware samples hosted in a website’s directory. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example.
The quality of our data is very important to us. We ask that you send reports of false positives to fp (@) malwarepatrol.net. We will investigate promptly, update our database if necessary, and let you know the results.
Please read this before submitting a report:
We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of blocklists to affect (block) the entire domain.
We understand that it is not always possible to block very popular websites. To help our customers in this situation, we whitelist (remove) as many known popular sites as possible. If you still find domains you wish to remove from the list, our download script allows for domain exclusions. Any such changes will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like ‘cat _filename_ | grep -v _domain_ > _new_file_name_’ can remove entries.
For help automating the removal of domains from blocklists, contact our tech support via email: support (@) malwarepatrol.net – and they will be happy to help. Please remember to mention the blocklist you use and how you download it.
There are multiple ways to automate the download and ingestion of our blocklists. Specifics depend on your operating system, environment and use of the data. As most of our customers utilize the data in *nix environments, the common tools used for automation are ‘wget’ and ‘curl’. A basic ‘wget’ command to download a blocklist looks like the following:
wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_COPIED_FROM_YOUR_CUSTOMER_PORTAL_’
The download and ingestion of the data by whatever software you use also require the operating system to frequently perform these tasks. For that, ‘cron’ is the choice of most of our customers.
Error messages:
# Your access was denied.
# You may have supplied a wrong password, your subscription may have expired or you may not have access to this resource.
The most likely cause of your problem is that you are running wget in a Linux shell and did no enclose the URL in single or double quotes. Therefore, the shell understands the ampersand (&) sign as an indication that part of the command should be sent to the background and the URL is broken.
Try the following command instead, for example, to download a ClamAV blocklist:
wget –no-check-certificate -O /var/lib/clamav/malwarepatrol.db
There are no restrictions in the number of IP addresses from which you can download the blocklists.
Sorry, we cannot provide invoices for Basic Defense subscriptions.
© 2023 Malware Blocklist
Powered by Malware Patrol