Configuration Guide
Using Malware Patrol Block Lists with pfBlockerNG for Enhanced Filtering
Malware Patrol provides block lists compatible with pfBlockerNG, a package for pfSense version 2.x that allows the usage of custom block list, IP filtering, and country block functionalities.
Instructions
You can follow these simple steps to configure your pfBlockerNG to filter malicious URLs and protect the internal network, computers and users from getting infected by malware and ransomware.
1) Log in to pfSense GUI.
2) Choose System > Package Manager.
3) Choose Available packages then scroll down to pfBlockerNG and clock Save.
4) Once the package is installed, choose Firewall > pfBlockerNG.
5) On the General tab, enable the following options:
You may also need to adjust Interface/Rules Configuration depending on your set up.
6) Choose DNSBL from the pfBlockerNG menu. Check Enable DNSBL. And under IP Firewall Rule Setting select Deny Outbound. Click Save.
7) Click DNSBL Feeds then click +Add.
8) Enter Malware Patrol as the DNS GROUP Name.
9) Under DNSBL Source enter your URL for the Plain Text – Aggressive block list provided by Malware Patrol. The address can be found by logging in to your account with Malware Patrol. Enter a label, MP-Aggressive for example and click +Add.
10) Repeat step 9 for the Plain Text – Aggressive block list for Ransomware (optional).
11) Set List Action to Unbound and Update Frequency to Every hour (for Malware Patrol Premium members only). Click Save.
12) Click Save.
13) Choose Update from the pfBlockerNG menu. Select the Select Force optionand mark Update, then click Run.
14) The logs should present messages similar to the following:
If you experience any difficulties configuring pfBlockerNG with Malware Patrol’s block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Our special thanks to F34RInc for helping put together this how-to.
Configuration Guide
ClamAV is an open source ant-virus engine for detecting trojans, viruses, malware & other malicious threats.
Malware Patrol provides signatures that are compatible with ClamAV software. You can follow these simple steps to configure your ClamAV instance and protect your internal network, computers, and users from getting infected by malware.
1) Make sure your ClamAV instance is installed and working properly. There are a few resources on the internet that can help you configure ClamAV in your platform. If you are experiencing trouble installing and configuring ClamAV, start at the following URL: http://www.clamav.net/documents/installing-clamav.
You should also be able to use distribution specific tools like apt-get and yum to install ClamAV software. For example: apt-get install clamav.
If you have Extremeshok’s clamav-unofficial-sigs properly installed, skip to step 14.
2) Install curl. For example: apt-get install curl
3) Install rsync. For example: apt-get install rsync
4) Install unzip. For example: apt-get install unzip
5) cd /tmp
6) wget -O clamav-unofficial-sigs.zip ‘https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip’
7) unzip /tmp/clamav-unofficial-sigs.zip
8) cp /tmp/clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/bin
9) chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh
10) mkdir -p /etc/clamav-unofficial-sigs
11) cp /tmp/clamav-unofficial-sigs-master/config/master.conf /etc/clamav-unofficial-sigs/
12) cp /tmp/clamav-unofficial-sigs-master/config/user.conf /etc/clamav-unofficial-sigs/
13) cd /etc/clamav-unofficial-sigs/
14) edit /etc/clamav-unofficial-sigs/master.conf appropriately
Log into your account with Malware Patrol and look for ClamAV. Right click on download and select Copy link location, you will need this URL in the next steps. It will look like this:
https://lists.malwarepatrol.net/cgi/getfile?receipt=YOUR_RECEIPT-NUMBER&product=41&list=clamav_basic
You will need your receipt number, product code, and list name from this URL.
malwarepatrol_enabled=yes
malwarepatrol_receipt_code=YOUR-RECEIPT-NUMBER (Get this number from your Malware Patrol download URL.)
malwarepatrol_product_code=41 (Get this number from your Malware Patrol download URL.)
malwarepatrol_list=clamav_basic # clamav_basic or clamav_ext (Get the list name from your Malware Patrol download URL.)
malwarepatrol_free=no
clam_user=clamav
clam_group=clamav
user_configuration_complete=yes
15) Clean unnecessary files: rm -rf /tmp/clamav-unofficial-sigs*
16) Execute the first update: /usr/local/bin/clamav-unofficial-sigs.sh
17) Configure a new cronjob to update ClamAV signatures every hour: MM * * * * /usr/local/bin/clamav-unofficial-sigs.sh
If you experience any difficulties configuring ClamAV software to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
Configuration Guide
Squid is a proxy for the web that provides extensive access control lists, reduces bandwidth consumption and improves response times by caching and reusing frequently requested web pages. It runs on most available operating systems, including Linux and Windows. It is licensed under the GNU GPL. Keep reading to learn how to configure Squid3.
Malware Patrol provides block lists compatible with Squid3 Web Proxy. You can follow these simple steps to configure your Squid instance and protect internal networks, computers and users from getting infected by malware.
Step-by-Step Instructions
1) Make sure your Squid3 instance is installed and working properly. There are several resources on the Internet that can help you configure Squid3 in your platform. If you are experiencing trouble installing and configuring Squid3, start at: http://www.squid-cache.org/.
2) On the server running Squid3, create a file called /etc/squid3/malware_patrol_update.sh. For example: vi /etc/squid3/malware_patrol_update.sh
3) Log into your account with Malware Patrol and look for Squid Web Proxy ACL. Right click on download and select Copy link location, you will need this URL on the next step.
4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ by the URL you have copied on the previous step: wget “no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_YOU_JUST_COPIED_’
5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes. For example: wget “no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘https://lists.malwarepatrol.net/cgi/getfile?receipt=01234567890&product=13&list=squid’
6) Add the following line to the file and save it: /usr/sbin/squid3 -k reconfigure
7) Add execute permissions to the recently created file, executing this command: chmod +755 /etc/squid3/malware_patrol_update.sh
8) Next, we need to configure Squid3 to use the blocklist. Edit the file /etc/squid3/squid.conf. For example: vi /etc/squid3/squid.conf
9) Add the following lines to the file, at the appropriate sections:
acl malware url_regex -i /etc/squid3/malware_patrol_blocklist
http_access deny malware
deny_info http://www.malwarepatrol.net/denied.shtml malware
10) Execute the recently created file that will download the latest blocklist and restart Squid: /bin/sh /etc/squid3/malware_patrol_update.sh
11) Notice that Squid3 will take longer than usual to start because it needs to read thousands of entries that will protect you from malware infections.
12) You should now configure a cronjob to automatically update the Malware Patrol blocklist. The following command should be executed every hour: /bin/sh /etc/squid3/malware_patrol_update.sh. Please choose minutes not close to 00, 01 and 59.
If you experience any difficulties configuring Squid3 Web Proxy to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net. Other configuration guides are available on our Tech Support page.
Configuration Guide
Bind is the world’s most used DNS server. Keep reading to learn how to configure Bind9 to work with Malware Patrol’s data.
Getting Started
Malware Patrol provides a zone file compatible with Bind9. Its usage as a DNSBL (DNS black list) denies access to domains that are involved in malware and ransomware activities. DNS queries for malicious domains return the loopback address (127.0.0.1) preventing access to download malicious binaries, to relay stolen data and to contact command and control servers. You can follow these simple steps to configure your Bind9 instance and protect the internal network, computers and users from getting infected by malware.
Warning
Please be advised that we have noticed that Bind on CentOS 7 is somehow limited in the number of zones it can load and therefore doesn’t work well with our block list. If you experience trouble loading the zone file, Bind exists unexpectedly, this may be the reason, contact our tech support.
Step-by-Step Instructions
1) Make sure your Bind9 is installed and working properly. There are several resources on the Internet that can help you install it depending on your platform. If you are experiencing trouble, start at: https://www.isc.org/downloads/bind/. You should also be able to use distribution specific tools like apt-get and yum. For example: apt-get install bind9.
2) Determine the path to the configuration files used by Bind9. This most likely will be /etc/bind or /etc/named. One way to find the path is to issue this command: find / -name named.conf
3) Notice: the path /etc/bind will be used throughout this how-to, please adapt the commands shown here appropriately if your path is different.
4) Change to the directory that contains Bind configuration files, for example: cd /etc/bind
5) Download Malware Patrol’s zone file:
wget -O /etc/bind/blackhole.malwarepatrol.zone ‘https://malwarepatrol.net/pub/20160707/blackhole.malwarepatrol.zone’
6) Add the following line to the end of the file /etc/bind/named.conf
include “/etc/bind/blackhole.malwarepatrol.confâ€;
7) Execute the first update:
/usr/bin/wget –no-check-certificate -qO- ‘_URL_TO_BIND_BLOCK_LIST_’ | sed ‘s/mbl.zone.file//etc/bind/blackhole.malwarepatrol.zone/g’ > /etc/bind/blackhole.malwarepatrol.conf
notice 1: don’t forget to change the command line if your path is not /etc/bind
notice 2: don’t forget to change the _URL_TO_BIND_BLOCK_LIST_ paramenter to your custom URL. To find the correct address, log in to your account, right click on the “download†link for the Bind block list and choose “Copy link locationâ€
8) Restart Bind with the following command: service bind9 restart
9) Configure a new cronjob to update the Bind zone every hour:
MM * * * * /usr/bin/wget –no-check-certificate -qO- ‘_URL_TO_BIND_BLOCK_LIST_’ | sed ‘s/mbl.zone.file//etc/bind/blackhole.malwarepatrol.zone/g’ > /etc/bind/blackhole.malwarepatrol.conf ; service bind9 restart
To make this set up effective, you should configure your customers’ DNS server(s) to point to the new Bind. This can be easily achieved via DHCP. Still, customers may manually configure their systems to use external DNS servers, therefore bypassing this protection mechanism. To avoid that, apply firewall rules that properly deny traffic to external DNS servers.
If you experience any difficulties configuring Bind9 to use Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
For other configuration guides, check out our Tech Support page.
