Technical Support

Cyber threat intelligence (CTI) is the collection, analysis, and sharing of information about current and emerging cyber threats, including threat actors and their tactics, techniques, and procedures (TTPs), to help organizations understand risks and make informed decisions to prevent, detect, and respond to attacks.

The most common report of duplicate entries in our data feeds is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there is more than one malware binary in the same directory or subdirectories. Each instance of malware on a domain has its own unique identifier (MBL_ID) because it represents a distinct URL. Therefore, each entry counts as a distinct malware sample in the data feeds.
If you find something beyond this example, please let us know.

We take the quality of our data very seriously. Please send reports of potential false positives to fp (at) http://malwarepatrol.net . We will investigate promptly, update our database (if necessary), and let you know the results.
Please read this before submitting a false positive report:
We often receive false positive reports about domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites are frequently found to be hosting malicious software. To further complicate matters, systems like Google Docs serve files from their root directories, forcing some formats of data feeds to affect (block) the entire domain.
We understand that it is not always possible to block these mainstream websites. We offers various options to our customers depending on their subscription. See FAQ topic "Whitelisting" for more details or contact our tech support team.

It is common knowledge in the security industry than many well-known and frequently visited websites host malware (Google Drive, DropBox, GitHub). We understand, however, that it is not always possible to block access to these popular websites, particularly those used for work purposes. Malware Patrol has options, depending on your subscription type, to help you whitelist domains to which your users require access.
Enterprise:
Several enterprise feeds offer Cisco Umbrella top domains excluded (top 25,000 or 100,000 or 1,000,000 domains). Enterprise customers may opt to use these versions instead of the full feeds. For other Enterprise feeds we include the Cisco Umbrella domain ranking as a field to allow for whitelisting per the customer's specific needs.
Also, Enterprise feeds can be customized at no cost. This offer includes the option to remove specific domains from your feed, by Cisco Umbrella ranking or otherwise. Discuss your specific needs with your Account Manager.

Each indicator of compromise in our database is verified at least once daily. This means that our systems visit each URL, for example, to make sure it is still hosting malware. DGAs and other DNS names are resolved four times per day.We update most of our Enterprise feeds hourly by adding newly discovered entries and removing deactivated threats. Customers can find the update frequency in the data feed table in their portals.

The feeds below are updated at intervals other than hourly:

Real-time updates
- Malware Samples
- Phishing Screen Shots

Every 5 minutes
- DNS RPZ Firewall

Our system automatically downloads suspicious samples and applies a series of tests to identify if they are likely malicious. These tests include AV checks as well as proprietary tests to determine file characteristics, like PE headers and packers. This way, we can provide customers with samples potentially not classified yet as malware by AVs.

Our data feeds contain all the data currently available, not just data from the latest update. During each update, we add new entries and remove inactive ones. Therefore, customers should consider each update of a feed as the entire data set available at that point in time. Our experience is that this strategy works better than offering differentials/updates. This avoid the situation where data is missed when a customers misses a download for some reason. We compress Enterprise data feeds to save bandwidth.

Yes, for commercial customers. Contact your account manager or support (@) malwarepatrol.net to receive subscription invoices.