Malware Patrol offers five Enterprise feeds formatted for use with Palo Alto Networks NGFW (PAN-OS). Customers choose the feed(s) that meet their needs: 1) DNS-over-HTTPS (DoH) Servers: This feed gives security teams control over the use of DoH in their environment. DoH wraps DNS queries in an HTTPS request, which can disguise malicious traffic. Several malware families take advantage of this to use DoH for their C2 communications. 2) Malicious Domains: Prevent access to domains hosting malware, ransomware, phishing, cryptominers, and command and control servers (C2s) for over a hundred malware and ransomware families. Blocking C2 communication disrupts the attacker’s ability to execute malicious commands and navigate laterally within the network, essentially breaking the cyber kill chain. 3) Malicious IPs: Provides a first line of defense against threats for which signature-based indicators may not yet be available. The broad coverage of IPs may also extend protection to attacks from adversaries utilizing the same infrastructure. The feed includes IPs actively hosting malicious malware and ransomware files, phishing sites, as well as C2 servers. 4) Malware URLs: This feed contains URLs known to be hosting malware and ransomware binaries. By leveraging malicious URL feeds, security tools can block access to harmful links while still allowing legitimate services hosted on the same domain. This level of precision prevents the unnecessary blocking of popular and legitimate platforms, such as Dropbox or Google Drive, where malicious content is frequently hosted. 5) Scam Domains: Unlike other cyber threats that may rely on known patterns or malicious code, scams often leverage social engineering and psychological manipulation to deceive victims. That makes them hard to detect with conventional automated systems. This feed fills in the gaps for threat intellligence’s “gray area” with ScamAdviser’s extensive database covering online shopping, investment and crypto, identity theft, advance fees, employment, romance, subscriptions and other types of scams. Integrating external threat intelligence into your organization’s firewall is a crucial step in fortifying cybersecurity defenses. Organizations gain a more comprehensive and well-rounded view of emerging threats when they diversify their information sources. Different providers may have varying expertise and access to distinct threat data, offering a broader spectrum of insights. This multi-sourced approach enhances the firewall’s ability to detect and block a wider range of malicious activities, reducing the risk of missing critical threats. It’s a strategic move that ensures a more robust and adaptable security posture, minimizing the chances of falling victim to sophisticated cyberattacks. Malware Patrol offers free evaluations of our Enterprise feeds, including those for Palo Alto Networks NGFW (PAN-OS). Request your evaluation here.  

PAN-OS External Dynamic Lists

Additional threat intelligence sources are integrated into Palo Alto Networks NGFW’s PAN-OS as “External Dynamic Lists” or EDLs. According to the PAN-OS Administrator’s Guide: “An External Dynamic List is a text file that is hosted on an external web server so that the firewall can import objects—IP addresses, URLs, domains—included in the list and enforce policy. To enforce policy on the entries included in the external dynamic list, you must reference the list in a supported policy rule or profile. When multiple lists are referenced, you can prioritize the order of evaluation to make sure the most important EDLs are committed before capacity limits are reached. As you modify the list, the firewall dynamically imports the list at the configured interval and enforces policy without the need to make a configuration change or a commit on the firewall.” Users can add up to 30 EDLs. There are per-firewall model restrictions on the number of entries allowed for each of the following object types: 1) IP address and 2) URL & Domain. Check the above referenced administrator’s guide for more details.

Pre-Integration – External Source Certificate Profiles

When EDL sources, such as Malware Patrol, are secured with SSL, you will need a certificate profile in order to authenticate the server hosting your data feed(s). Both the root CA (certificate authority) and intermediate CA certificates are required. Per the Administrator’s Guide (link above), you should “use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.” To get the certificates for Malware Patrol: 1) Navigate to https://malwarepatrol.net (We used the Firefox browser – instructions will vary for others.) 2) (Left) Click on the site security padlock icon 3) Select Connection Secure –> More Information.

  4) Click View Certificate.   5) In the certificate information dialog box that appears:

• Click on the Cloudflare Inc ECC CA-3 tab
• Right click the PEM (cert) link
• Select Save Link As and save as ‘root.pem’ to your computer
• Click on the Baltimore CyberTrust Root tab
• Right click the PEM (cert) link
• Select Save Link As and save as ‘intermediate.pem’ to your computer.

Add Certificate Profiles to PAN-OS

6) Log in to your Palo Alto Networks firewall interface. 7) Click on the Device tab 8) Expand Certificate Management on the left side menu and then select Certificate Profile 9) Click the +Add button at the bottom left of the screen to add a new certificate profile 10)  In the Certificate Profile dialog box:

• Name: Cloudflare
• Click the +Add button at the bottom left of the CA Certificates (yellow) section of the dialog box
• Select Import
• Certificate Name: ‘Cloudflare – Intermediate’
• Click Browse to find and select the ‘intermediate’ certificate saved on your computer
• Click OK to save.

  11) Repeat this process to add the second (root) certificate previously saved to your computer to the same Certificate Profile:

• Click the +Add button again at the bottom of the CA Certificates section to add the root certificate
• Select Import
• Certificate Name: ‘Cloudflare – Root’
• Click Browse to find the ‘root’ certificate saved on your computer
• Click OK to save.

    12) You will see both certificates listed in the Certificate Profile window. Click OK to exit.   13) Click Commit in the upper right hand corner to save your changes.   14) Once completed, a Commit Status dialog box will appear. Make sure the result is successful.

Add an IP EDL

15) From the Objects tab, select External Dynamic Lists on the left side menu. 16) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.   17) In the External Dynamic Lists dialog box:

• Name: Malware Patrol – Malicious IPs
• Type: IP List
• Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
• Certificate Profile: Cloudflare
• Repeat: Hourly
• Click OK to save.

  18) Click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Apply a Security Policy to an IP EDL

19) From the Policies tab, select Security on the left side menu 20) Click the +Add button at the bottom left of the screen to add a new security policy   21) In the Security Policy Rule dialog box:

• Name: Malware Patrol – Malicious IPs
• Click Destination tab
• Destination Zone: Any
• Destination Address: External Dynamic List –> Malware Patrol – Malicious IPs
• Click Actions tab
• Action: Deny
• Click OK to save.

  22) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Add a URL EDL

23) From the Objects tab, select External Dynamic Lists on the left side menu. 24) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.   25) In the External Dynamic Lists dialog box:

• Name: Malware Patrol – Malicious URLs
• Type: URL List
• Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
• Certificate Profile: Cloudflare
• Repeat: Hourly
• Click OK to save.

  26) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Apply a Security Policy to a URL EDL

27) From the Policies tab, select Security on the left side menu. 28) Click the +Add button at the bottom left of the screen to add a new security policy.   29) In the Security Policy Rule dialog box:

• Name: Malware Patrol – Malicious URLs
• Click Service/URL Caetgory tab
• Service: Application-Default
• URL Category: External Dynamic List –> Malware Patrol – Malicious URLs
• Click Actions tab
• Action: Deny
• Click OK to save.

  30) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Add a Domain EDL

“An external dynamic list of type domain allows you to import custom domain names into the firewall to enforce policy using an Anti-Spyware profile or SD-WAN policy rule. An EDL in an Anti-Spyware profile is very useful if you subscribe to third-party threat intelligence feeds and want to protect your network from new sources of threat or malware as soon as you learn of a malicious domain.  […] You can also specify the firewall to include the subdomains of a specifed domain. […] When this setting is enabled, each domain in a given list requires an additional entry, effectively doubling the number of entries used by the list.”  PAN-OS Administrator’s Guide Malware Patrol offers three domain-based feeds for PAN-OS: Malicious Domains, Scam Domains, and DoH Servers.  31) From the Objects tab, select External Dynamic Lists on the left side menu. 32) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.   33) In the External Dynamic Lists dialog box:

• Name: Malware Patrol – Malicious Domains
• Type: Domain List
• Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
• Certificate Profile: Cloudflare
• Repeat: Hourly
• Click OK to save.
• Repeat this process to add Malware Patrol’s DNS-over-HTTPS Servers and Scam Domains feeds as EDLs.

  34) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Apply a Security Policy to a Domain EDL

Note: This process is slightly different from adding a security policy to IP and URL EDLs.

Add Anti-Spyware Profile

35) From the Objects tab, select expand Security Profiles on the left side menu. Click Anti-Spyware. 36) Click the +Add button at the bottom left of the screen to add a new profile. A dialog box will appear.   37) In the Anti-Spyware Profile dialog box:

• Name: MalwarePatrolMaliciousDomains
• Select the DNS Signatures tab
• Click the +Add button at the bottom left of the External Dynamic List Domains section
• Select External Dynamic Lists > Malware Patrol – Malicious Domains from the dropdown list
• Repeat this process to add Malware Patrol – DOH Servers and/or Malware Patrol – Scam Domains
• Action on DNS Queries: Apply either Block or Sinkhole to the newly added feed(s), per your organization’s needs
• Click OK to save.

38) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Add a Security Policy

39) From the Policies tab, select Security on the left side menu 40) Click the +Add button at the bottom left of the screen to add a new security policy 41) In the Security Policy Rule dialog box:

• Name: Malware Patrol – Malicious Domains (or Scam Domains or DoH Servers)
• Click Destination tab
• Destination Zone: Any
• Destination Address: Any
• Click Actions tab
• Profile Type: Profiles
• Anti-Spyware: Select MalwarePatrolMaliciousDomains
• Click OK to save.

42) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.   PAN-OS Reference Document Links:

• External Dynamic Lists
• General Configuration
• Security Policies
• View External Dynamic List Entries
• Exclude Entries from an External Dynamic List
• Use an External Dynamic List in a URL Filtering Profile

If you need any assistance with your Palo Alto NGFW integration with Malware Patrol’s data feeds, please email support ( @ ) malwarepatrol.net or contact your Account Manager.

Malware Patrol + FortiSIEM

Malware Patrol offers (5) Enterprise* feeds formatted for integration into FortiSIEM. This allows users to combine the quality of Fortinet’s SIEM security platform with the protection from our threat intelligence. Customers can choose the feed(s) that meet their needs:

• DNS-over-HTTPS (DoH) Servers (domains)
• Malicious Domains
• Malicious Hashes
• Malicious IPs
• Malware/Ransomware URLs

*These feeds are not available for free or paid blocklists, or Business Protect customers. Find more details about our Enteprise offerings here.

We offer free evaluations of our Enterprise feeds, including those for FortiSIEM. To request your evaluation, complete our request form.

 

About FortiSIEM

“FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. What’s more is that [the] architecture enables unified data collection and analytics from diverse information sources including logs, performance metrics, security alerts, and configuration changes. FortiSIEM combines the analytics traditionally monitored in separate silos of the security operations center (SOC) and network operations center (NOC) for a more holistic view of the security and availability of the business.” “FortiGuard Threat Intelligence and Indicators of Compromise (IOC) and Threat Intelligence (TI) feeds from commercial, open source, and custom data sources integrate easily into the security TI framework. This grand unification of diverse sources of data enables organizations to rapidly identify root causes of threats, and take the steps necessary to remediate and prevent them in the future. Steps can often be automated with new Threat Mitigation Libraries for many Fortinet products. External Threat Intelligence Integrations

• APIs for integrating external threat feed intelligence — Malware domains, IPs, URLs, hashes, Tor nodes
• Built-in integration for popular threat intelligence sources — ThreatStream, CyberArk, SANS, Zeus, ThreatConnect
• Technology for handling large threat feeds — incremental download and sharing within cluster, real-time pattern
  matching with network traffic. All STIX and TAXII feeds are supported”

 

Adding External TI to FortiSIEM

The following are instructions to configure each of our data feeds on FortiSIEM version 6.4.0 (1412) using the web interface.

 

DNS-over-HTTPS (DoH) Domains

Benefits of the Malware Patrol DoH Data Feed

We developed this feed to help security teams monitor the use of DoH in their environment. Our tools actively search for new DoH servers on a continuous basis to keep this data fresh. DoH allows users to bypass the DNS-level controls and internet usage policies put in place to protect your network against known threats and threat actors are taking advantage of this by using DoH for C2 server connections, for example. As such, both incoming and outgoing DoH traffic should be closely monitored for indications of malicious activity.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol – DoH to distinguish this feed from the Malware Patrol Malicious Domains previously entered.

5) Click save. The Malware Patrol – DoH group will now appear under the Malware Domains section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the screen that pops up choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

• URL of your Malware Patrol DoH feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• Domain Name, Position 1
• Description, Position 2
• Last Seen, Position 3

11) Click Save

12) Click on the Schedule: + button

13) On the screen that pops up, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process to know which fields are available in the Malware Patrol feed.

 

Malicious Domains

Benefits of the Malware Patrol Malicious Domains Data Feed

This Malware Patrol feed contains domains actively involved in malicious activities. The data is derived from five of our Enterprise feeds: 1) Anti-Mining, 2) Command & Control (C2) Addresses, 3) Domain Names Generated via DGAs, 4) Malware & Ransomware URLs, and 5) Phishing URLs. Network traffic associated with these domains is highly likely to be malicious.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Domains section. 6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the screen that pops up choose Update via API.

9) Click on the edit (pencil) button for the URL.

10) Enter the following to set up the feed update:

• URL of your Malware Patrol Malicious Domains feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

11) In the Data Mapping section, match the following:

• Domain Name, Position 1
• Malware Type, Position 2
• Description, Position 3
• Date Found, Position 4
• Last Seen, Position 5

12) Click Save

13) Click on the Schedule: + button

14) On the screen that pops up, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

15) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

16) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.    

 

Malicious IPs

Benefits of the Malware Patrol Malicious IPs Data Feed

This feed contains IP addresses known to actively host malicious files and C2 systems for malware and ransomware. Monitoring traffic destined to them is an effective network protection measure and provides valuable information for threat hunting purposes.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware IPs from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware IPs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware IPs section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

• URL of your Malware Patrol Malicious IPs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

•  

10) In the Data Mapping section, match the following:

• Name, Position 1
• Low IP, Position 2
• Malware Type, Position 3
• Description, Position 4
• Date Found, Position 5
• Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

 

Malware Hashes

Benefits of the Malware Patrol Malware Hashes Data Feed

This feed contains the SHA-1 hashes of malware and ransomware samples currently available on the internet. Encountering these signatures in your environment is a sign of malicious activity.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Hash from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Hash group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Hash section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button..

9) Enter the following to set up the feed update:

• URL of your Malware Patrol Malware Hashes feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• Description, Position 1
• Algorithm, Position 2
• HashCode, Position 3
• Malware Type, Position 4
• Date Found, Position 5
• Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

 

Malware URLs

Benefits of the Malware/Ransomware URLs Data Feed

This feed contains URLs known to be hosting malware binaries. It is updated hourly to remove inactive URLs and add newly detected ones. Correlating this feed with network traffic can pinpoint a potential malware infection.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware URLs from the menu on the left.

3) Click + button at the upper left-hand side of this menu to add a new Malware URLs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware URLs section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9)  Enter the following to set up the feed update:

• URL of your Malware Patrol Malware URLs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• URL, Position 1
• Malware Type, Position 2
• Last Seen, Position 3

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

 

If you need any assistance with your FortiSIEM integration, please email support (@) malwarepatrol.net or contact your Account Manager.

MISP is a threat intelligence platform for gathering, sharing, storing, and correlating indicators of compromise of targeted attacks, threat intelligence, financial fraud information, and vulnerability information.

It can be configured to ingest MISP-formatted data feeds. To ingest the data provided by Malware Patrol following these steps:

If you encounter any difficulties during the configuration process, feel free to contact our tech support at support (@) malwarepatrol.net

Configuration guides for other systems can be found on our Tech Support page.

Share this post:

Tweet

FortiGate NGFWs deliver industry-leading enterprise security for any edge at any scale with full visibility and threat protection. Organizations can weave security deep into the hybrid IT architecture and build security-driven networks to achieve:

• Ultra-fast security, end to end
• Consistent real-time defense with FortiGuard Services
• Excellent user experience with security processing units
• Operational efficiency and automated workflows

Malware Patrol offers (5) feeds formatted for integration into the FortiGate Security Fabric (External Connectors/Threat Feeds). Customers can choose the feed(s) that meet their needs:

• DNS-over-HTTPS (DoH) Servers (domains)
• Malicious Domains
• Malicious Hashes
• Malicious IPs
• Malware/Ransomware URLs

We have written configuration instructions for both connecting and enabling protection with Malware Patrol feeds. Please note that some of the functionalities covered in this guide require a subscription, such as FortiGuard AntiVirus for using Malicious Hashes.

Also, following the instructions in the FortiGate Administration Guide, we have mostly modified default settings and policies whenever adding Malware Patrol’s feeds. For logging or other purposes you may wish to create new ones instead. Additional resources are included at the end of this guide, including a link to FortiGate’s manual.

‘

Adding external threat data feeds to FortiGate

1) From inside the FortiGate interface, select Security Fabric > External Connectors. For this configuration guide, we have already added the Malware Patrol Malicious Hashes feed as an example, seen below.

2) Click Create New

3) Scroll down to Threat Feeds section

4) Select feed type to be added. Options are:

a. FortiGuard Category (for URL lists)
b. IP Address
c. Domain Name (for this example)
d. Malware Hash

5) Complete the following in the fields on the next page:

• Feed name: We will use Malware Patrol Malicious Domains
• URL: You can find the URL of the Malware Patrol Malicious Domains data feed in the evaluation or customer portal
• Login credentials: Username and password for Malware Patrol evaluation or customer portal
• Refresh rate: We use 61 minutes as our feeds are updated hourly

6) Click OK to save. You will now see the new feed added to the list of connectors.

7) Click Create New to add any additional feed(s) you have. Instructions for each are the same as the previous example. For the examples in this how-to, we use the names below:

a. FortiGuard Category (for URL lists) – Malware Patrol Malicious URLs
b. IP Address – Malware Patrol Malicious IPs
c. Domain Name – Malware Patrol Malicious Domains
d. Malware Hash – Malware Patrol Malicious Hashes

8) Click the refresh button and hover over any feed to see details, including number of valid/invalid entries

9) Click View Entries to see the feed’s entries

Adding IP data feeds to firewall policies

1) Navigate to Policy & Objects > Firewall Policy

2) Click Create New

3) Complete the following in the fields on the next page:

• Name: We will use Malware Patrol IP Deny List
• Select incoming and outgoing interfaces: per your needs/environment
• Source: All
• Destination: Malware Patrol Malicious IPs list (menu appears on right, scroll down)
• Schedule: Always
• ServiceAll
• Action: Deny

4) Click OK to save. New policy will appear in list

FortiGate policy details: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/118003/policies

FortiGate video: https://youtu.be/dpvlQ0xU2NU

Adding an external malware blocklist (hashes) to the AntiVirus

1) Navigate to Security Profiles > AntiVirus

2) Click to edit the default profile

3) Enable Use external malware block list (toward bottom of page). Also enable Quarantine if desired.

4) Select ‘Specify’ in the Virus Outbreak Prevention

5) Click the + and select the Malware Patrol Malicious Hashes feed from the menu

6) Click OK to save

FortiGate AntiVirus details: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/913906/external-blocklist-file-hashes

Adding a URL blocklist to the web filter

1) Navigate to Security Profiles > Web Filter

2) Click to edit the default profile

3) Select Malware Patrol Malicious URLs from FortiGuard Category Based Filter menu

4) Right click on Disable and select Block from dropdown menu

5) Click OK to save

FortiGate Web Filter details: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/833698/web-filter

Adding a domain blocklist to the DNS filter

1) Navigate to Security Profiles > DNS Filter

2) Double click to edit the default profile

3) Select Malware Patrol Malicious Domains from FortiGuard Category Based Filter menu (scroll down to Remote Categories section)

4) Right click on Allow and select Redirect to Block Portal from dropdown menu

5) Click OK to save

FortiGate DNS Filter details: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/605868/dns-filter

Additional resources

FortiGate Administration Guide: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/954635/getting-started

FortiGate Administration Guide, threat data feeds: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/9463

/threat-feeds

Excellent walk-through video for adding and enabling external threat feeds: Configure and use 3rd Party threat feeds on a FortiGate Firewall by GraniteDan https://youtu.be/CarI6_URN90

Share this post:

Tweet

Malware Patrol provides a Mikrotik-compatible version of our Malicious Domains and the Tor Exit Nodes data feeds. In this Mikrotik router configuration guide, you will find all the steps necessary. However, feel free to contact our support if you need any help.

“MikroTik is a Latvian company founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most countries around the world. Our experience in using industry-standard PC hardware and complete routing systems allowed us in 1997 to create the RouterOS software system that provides extensive stability, controls, and flexibility for all kinds of data interfaces and routing.”

You can follow these simple steps to configure your Mikrotik to filter malicious domains to protect your network, computers, and users from getting infected by malware and ransomware. This includes domains derived from C2s, DGAs, and URLs hosting malware and ransomware binaries.

1) You will need the username and password provided to you by Malware Patrol. If you are evaluating, this will be your evaluation portal credentials. If you are a customer, you will use your account login details and portal URL.

2) Execute the following commands in Mikrotik’s CLI:

Malicious Domains

/system script  add name=”MP_UpdateMaliciousDomains” owner=”admin” policy=ftp,read,write dont-require-permissions=no source={
/tool fetch url=”https://_username_:_password@eval.malwarepatrol.net/feeds/files/MP_malicious_domains.mikrotik.rsc” mode=https

/ip firewall address-list remove [find where comment=”MP_Malicious_domain”]
/import file-name=MP_malicious_domains.mikrotik.rsc ;
}

/ip firewall filter add chain=forward action=drop protocol=tcp dst-address-list=MP_MaliciousDomains log=yes log-prefix=”Blocked_by_MP_MaliciousDomains”

/system scheduler add name=MP_UpdateMaliciousIPsFeed interval=1h on-event=MP_UpdateMaliciousIPs owner=admin policy=ftp,read,write

The code above will create a script that downloads and updates the Malicious Domains list. The system scheduler portion will schedule the download and update processes to happen on an hourly basis. We advise this frequency because our lists are updated every hour.

If you encounter any difficulties during the Mikrotik router configuration process, feel free to contact our tech support at support (@) malwarepatrol.net

Configuration guides for other systems can be found on our Tech Support page.

Share this post:

Tweet

Palo Alto MineMeld is an extensible Threat Intelligence processing framework and the multi-tool of threat indicator feeds. MineMeld can be used to collect, aggregate, and filter indicators from a variety of sources make them available for consumption to peers or the Palo Alto Networks security platforms.

That means this versatile tool can be used to grab data feeds of IPs, URLs, and domains. Also, aggregate, deduplicate, process it and output the final result in formats suitable to Palo Alto Networks products. MineMeld can also be configured to send data to Splunk.

Malware Patrol has determined the steps required to allow our customers to utilize our data feeds on MineMeld. The following steps are required to create a miner, a processor, and finally an output. Also, the entire process follows the logic of creating and configuring prototypes based on existing entities and later cloning them. Keep this in mind and the logic will be clearer as we move forward through each step.

We’ve created a specific Enterprise data feed for MineMeld consumption. The URL can be founded in the evaluation or customer portal. If you are a current customer, please contact your Sales Manager to have the feed added to your portal. This configuration guide shows how to extract URLs from that feed. In addition, the same logic can be applied to create new a miner, processor, and output for other indicators contained in the feed.

1) If you do not have MineMeld installed and configured yet, you can download a pre-configured virtual machine or the software’s source code from Github. Please visit the following URLs for more details:

a. https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld
b. https://live.paloaltonetworks.com/t5/MineMeld-Articles/Manually-install-MineMeld-on-Ubuntu-Server-16-04/ta-p/253336

2) Once you successfully log in to MineMeld, click on Config to view the current list of miners, processors and œoutput.

3) To configure a new miner prototype we will use an existing miner. Click the blue icon on the lower right corner of the screen named browse prototypes. In the search field, type “ssla” and once the list is updated, select “sslabusech.ipblacklist.”

4) Once the miner configuration is displayed, click on “new.”

5) Make the necessary changes to each field according to the following image. Special attention must be taken to the field CONFIG and the line url. This must be filled with the URL of Malware Patrol’s data feed for the MineMeld data feed. As explained previously the address can be found in your evaluation or customer portal. After properly populating the fields, click “ok.”

6) You will see the new “miner prototype” created, click on it.

7) When the miner loads, click on clone.

8) Fill the two fields as shown in the following screenshot and click “ok.”

9) The screen will show all the available items, including the new miner. Click on “commit” to push the changes. Wait a few seconds as some components of MineMeld will be restarted.

10) Click on “nodes” and use the search field to look for malwarepatrol You should see the new miner. Pay close attention to indicators that should show an increasing amount of items pulled from our data feed.

11) To create the processor prototype, click on config and then the blue icon on the lower right corner of the screen named browse prototypes. Search for processor. In the list displayed, click on stdlib.aggregatorFileName.

12) Click “new” and fill the form fields according to the following screenshot and click “ok.”

13) Once the list of prototypes is shown, click on the newly created one and choose “clone.” Fill the form according to the next screenshot.

14) Clicking on config you should see a screen similar to the following:

15) Now to create an output prototype, click the blue icon on the lower right corner of the screen named “browse prototypes.” Search for output and in the list that will be displayed, click “stdlib.dagPusher.”

16) Fill the form fields as in the following screenshot and click”ok.”

17) In the list that will be displayed, click the newly created prototype.

18) Click “clone.”

19) At this point, the list displayed should contain one new item for a miner, rocessor and output. Click on commit to make the changes effective. Wait a few seconds as some components of MineMeld will be restarted.

20) Click on nodes and search for malwarepatrol. You should see the three newly created items and the count of indicators increasing. That shows that data is flowing from our data feed into the miner, processor and finally made ready by the output.

21) Clicking on output you can see details including the URL of the finalized feed that can be consumed by Palo Alto Networks systems.

22) For information on MineMeld and how to connect it with other Palo Alto Networks products and Splunk, please visit the following URLs.

– Create Dynamic Firewall Rules Based on MineMeld Threat Feeds: https://www.virtualizationhowto.com/2018/12/create-dynamic-firewall-rules-based-on-minemeld-threat-feeds/
– Create a MineMeld input in Splunk: https://splunk.paloaltonetworks.com/autofocus-and-minemeld.html
– Quick tour of MineMeld default config: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Quick-tour-of-MineMeld-default-config/ta-p/72042
– Using MineMeld to Create a Custom Miner: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-Create-a-Custom-Miner/ta-p/227694
– Developer’s Guide: https://github.com/PaloAltoNetworks/minemeld/wiki/Developer’s-Guide

23) If you encounter any difficulties during the configuration process, feel free to contact our tech support at support@malwarepatrol.net

Configuration guides for other systems can be found on our Tech Support page.

Evaluate Our Data

For actionable, current OTI, Malware Patrol offers a wide variety of threat intelligence feeds for use within organizations of all sizes and industries. We verify our feeds constantly – every hour in most cases – to ensure they contain only actionable indicators that protect our customers against malware infections and data breaches.  For ease of use, we format the feeds for compatibility with the most popular security tools and platforms. Contact us to learn more or to request a free evaluation.

Malware Patrol’s #1 goal is to protect customers from malware and ransomware infections. These days, this can mean blocking mainstream domains. Consequently, our customers report potential false positives for sites like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Systems like Google Docs serve files from their root directories. This forces some block list formats to then block the entire domain, frustrating users.

Sadly, these popular websites host more malware than ever. It is not that their companies don’t try to prevent such threats. They have their valuable reputations to protect. The problem is that there’s a certain amount of time between the upload of files and the detection of malicious behaviors. Attackers exploit this window of opportunity to distribute their campaigns and infect users.

It’s Called Reputation-Jacking

Using trusted domains to host malicious content has become such a prevalent threat that a term was coined for it: ‘reputation-jacking’. Our blog post “Reputation Jacking: Unknown Threats on Well-Known Sites” explains that many Internet users are learning the hard way that malware can be found on the most popular domains. There are many websites that users automatically assume are safe when in fact they may not be.

Excluding Domains from Malware Patrol Block Lists

At Malware Patrol, we believe in providing users the data they need to be protected from malware and ransomware. We also understand that it is not always possible to block mainstream websites. However, we still want to give customers all the data we find so they can choose how to use it.

If you can’t or don’t want to block a certain domain, we advise you to remove the related entries from our block lists. This can be done right after they are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like ‘cat _filename_ | grep -v _domain_ > _new_file_name_’ can remove entries.

For help automating the removal of domains from block lists, contact our tech support via email – support (@) malwarepatrol.net – and they’ll be happy to help. Please remember to mention the block list you use and how you download it.

We hope you will find this information valuable to better understand our mission as well as how you can customize our block lists to suit your needs.

Malware Patrol provides block lists compatible with SpamAssassin.
 

“Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email).

It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

Apache SpamAssassin is a project of the Apache Software Foundation (ASF).”
 

You can follow these simple steps to configure your SpamAssassin to filter malicious URLs and protect your network, computers, and users from getting infected by malware.

1) Make sure your SpamAssassin instance is installed and working properly. There are several resources on the Internet that can help you configure it in your platform. If you are experiencing trouble installing and configuring SpamAssassin, start at: https://spamassassin.apache.org/

2) On the server running SpamAssassin, create a file called malware_patrol_update.sh choosing where to place it, like:
# mkdir /root/sh
# vi /root/sh/malware_patrol_update.sh

3) Log into your account with Malware Patrol and look for SpamAssassin. Right click on “download” and select “Copy link location”. You will need this URL on the next step.

4) Paste the following command into the newly created file, substituting _URL_YOU_JUST_COPIED_ with the URL you copied in the previous step:

wget --no-check-certificate -O /etc/mail/spamassassin/99_malware_patrol_blocklist.cf '_URL_YOU_JUST_COPIED_'

Feel free to customize the output filename. SpamAssassin configuration files are read in an alphanumerical order, meaning 70_*.cf will be read before 99_*.cf.

5) It is very important to make sure that the URL you have copied from your account with Malware Patrol is enclosed in single quotes.

6) Add the following line to the file and save it:

systemctl restart spamassassin.service

If Amavisd is used (so SpamAssassin is managed by it) use the following line instead and save it:

systemctl restart amavisd.service

7) Add execute permissions to the recently created file, executing this command:

# chmod +755 /root/sh/malware_patrol_update.sh

8) Execute the recently created file that will download the latest block list and restart SpamAssassin or Amavisd:

# /bin/sh /root/sh/malware_patrol_update.sh

9) Make sure the new file was correctly processed by SpamAssassin by running the following command:

# spamassassin -D --lint 2>&1 | grep "malware_patrol"
... dbg: config: read file /etc/mail/spamassassin/99_malware_patrol_blocklist.cf

10) You should now create a cron job to automatically update the Malware Patrol block list. The following command should be executed every hour:

/bin/sh /root/sh/malware_patrol_update.sh

Please choose minutes not close to 00, 01 and 59 for your cron job.

If you experience any difficulties configuring SpamAssassin to use Malware Patrol block lists, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.
 

Special thanks to Malware Patrol user fRANz for writing this guide.

Share this post: Tweet