Our lists include what we call MBL ID, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the MBL_IDhelps us organize and debug the large amount of data in our lists.

The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there is more than one malware binary in the same directory or subdirectories under it. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example. So, each entry counts as a distinct malware and shows on data feeds.

If you find something else beyond this example that shows duplicate entries, please let us know!

The quality of our data is very important to us. We ask that you send reports of false positives to fp (at) malwarepatrol.net. We will investigate promptly, update our database (if necessary), and let you know the results.

Please read this before submitting a false positive report:

We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of block lists to affect (block) the entire domain.

We understand that it is not always possible to block these mainstream websites. We have various options, depending on your subscription type, to help with whitelisting domains to which your users require access. See FAQ topic "Whitelisting" for more details.

It is common knowledge in the security industry than many well-known and frequently used websites host malware (Google Drive, DropBox, GitHub). We understand, however, that it is not always possible to block these popular websites, particularly those used for work purposes. Malware Patrol has options, depending on your subscription type, to help you whitelist domains to which your users require access.

Enterprise:
Several enterprise feeds have Cisco Umbrella top domains removed from them (top 25,000 or 100,000 or 1,000,000 domains). Enterprise customers may use these versions instead of the full feed. For other Enterprise feeds we include the Cisco Umbrella domain ranking as a field to allow for whitelisting per the customer's specific needs.

Also, Enterprise feeds can be customized at no cost. This offer includes the option to have us remove specific domains from your feed, by Cisco Umbrella ranking or otherwise. Discuss your specific needs with your Account Manager.

Non-commercial blocklist:

You can use our download script to allow for domain exclusions. These will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like cat _filename_ | grep -v _domain_ > _new_file_name_ can remove entries.

For help automating the removal of domains from blocklists, contact our tech support via email (support (@) malwarepatrol.net) and they will be happy to help. Please remember to mention the blocklist you use and how you download it.

Each indicator is verified at least once daily. That means our systems visit each URL, for example, to make sure it is still hosting malware or otherwise considered to be malicious. DGAs are resolved four times per day.

We update most of our Enterprise feeds hourly by adding newly found entries and removing deactivated threats. Customers can find the update frequency in the data feed table in their portals.

The feeds below are updated at intervals other than hourly:

Real-time updates
- Bitcoin Transactions
- DDoS Attacks
- Malware Samples
- Phishing Screen Shots

Every 5 minutes
- DNS RPZ Firewall

Every 6 hours
- Bitcoin Blockchain Strings

Every 24 hours
- Anti-Mining

Business Protect data feeds are updated hourly.

Basic Defense blocklists are updated every 4 hours.

The formats we currently offer are the most requested from our users because they work with many popular security tools.

Business Protect and non-commercial blocklists are only offered in the formats listed on their respective pages.

For Enterprise Feeds, however, we can usually customize them to fit your ingestion requirements at no additional cost. Just ask us!

Our system automatically downloads suspicious samples and applies a series of tests to identify if they are likely malicious. These tests include AV checks as well as proprietary tests to determine file characteristics, like PE headers and packers. This way, we can provide customers with samples that may not be classified as malware yet by AVs but are most likely malicious.

We use a mixture of systems to determine if samples are malicious or not. That includes our own classifications tools as well as information returned by multiple anti-virus systems. Once a sample is found to be bad, we use one of the classifications provided by AV vendors. Microsoft and Kaspersky are the most utilized, although others may be used.

The data feeds contain all the available data, not just the data from the latest update. Our experience is that this strategy works better than differentials/updates because no data is lost if any of our customers miss a download for some reason. We can compress the Enterprise feed files to save bandwidth.

We do not provide invoices for Basic Defense subscriptions. Contact your account manager or support (@) malwarepatrol.net for Business Protect and Enterprise subscription invoices.