Update (2023-05-10): Daily update of this blocklist has been paused while waiting for the upstream maintainer to complete migrating https://github.com/zhouhanc/malware-discoverer to https://malwarediscoverer.com. No ETC is given. See issue #2. Other malware-filter blocklists are not affected.
A blocklist of domains that host potentially unwanted programs (PUP), based on the malware-discoverer. Blocklist is updated twice a day.
Client | mirror 1 | mirror 2 | mirror 3 | mirror 4 | mirror 5 | mirror 6 |
---|---|---|---|---|---|---|
uBlock Origin, IP-based | link | link | link | link | link | link |
Pi-hole | link | link | link | link | link | link |
AdGuard Home | link | link | link | link | link | link |
AdGuard (browser extension) | link | link | link | link | link | link |
Vivaldi | link | link | link | link | link | link |
Hosts | link | link | link | link | link | link |
Dnsmasq | link | link | link | link | link | link |
BIND zone | link | link | link | link | link | link |
BIND RPZ | link | link | link | link | link | link |
dnscrypt-proxy | names.txt | names.txt | names.txt | names.txt | names.txt | names.txt |
Internet Explorer | link | link | link | link | link | link |
Snort2 | link | link | link | link | link | link |
Snort3 | link | link | link | link | link | link |
Suricata | link | link | link | link | link | link |
Splunk | link | link | link | link | link | link |
For other programs, see Compatibility page in the wiki.
Check out my other filters:
Import the link into uBO's filter list to subscribe.
included by default in uBO >=1.39.0; to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "PUP URL Blocklist".
Import the link into AdGuard browser extension to subscribe.
Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"
Import the link into Vivaldi's Tracker Blocking Sources to subscribe.
This blocklist includes domains and IP addresses.
This AdGuard Home-compatible blocklist includes domains and IP addresses.
This blocklist includes domains only.
This blocklist includes domains only.
Save the ruleset to "/usr/local/etc/dnsmasq/pup-filter-dnsmasq.conf". Refer to this guide for auto-update.
Configure dnsmasq to use the blocklist:
printf "\nconf-file=/usr/local/etc/dnsmasq/pup-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf
This blocklist includes domains only.
Save the ruleset to "/usr/local/etc/bind/pup-filter-bind.conf". Refer to this guide for auto-update.
Configure BIND to use the blocklist:
printf '\ninclude "/usr/local/etc/bind/pup-filter-bind.conf";\n' >> /etc/bind/named.conf
Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):
$TTL 86400 ; one day
@ IN SOA ns.nullzone.loc. ns.nullzone.loc. (
2017102203
28800
7200
864000
86400 )
NS ns.nullzone.loc.
A 0.0.0.0
@ IN A 0.0.0.0
* IN A 0.0.0.0
Zone file is derived from here.
This blocklist includes domains only.
This blocklist includes domains only.
Save the rulesets to "/usr/local/etc/unbound/pup-filter-unbound.conf". Refer to this guide for auto-update.
Configure Unbound to use the blocklist:
printf '\n include: "/usr/local/etc/unbound/pup-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf
Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this guide for auto-update.
Configure dnscrypt-proxy to use the blocklist:
[blocked_names]
+ blocked_names_file = '/etc/dnscrypt-proxy/pup-filter-dnscrypt-blocked-names.txt'
This blocklist includes domains only.
Not compatible with Snort3.
Save the ruleset to "/etc/snort/rules/pup-filter-snort2.rules". Refer to this guide for auto-update.
Configure Snort to use the ruleset:
printf "\ninclude \$RULE_PATH/pup-filter-snort2.rules\n" >> /etc/snort/snort.conf
Not compatible with Snort2.
Save the ruleset to "/etc/snort/rules/pup-filter-snort3.rules". Refer to this guide for auto-update.
Configure Snort to use the ruleset:
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
+ include = 'rules/pup-filter-snort3.rules'
}
Save the ruleset to "/etc/suricata/rules/pup-filter-suricata.rules". Refer to this guide for auto-update.
Configure Suricata to use the ruleset:
# /etc/suricata/suricata.yaml
rule-files:
- local.rules
+ - pup-filter-suricata.rules
A CSV file for Splunk lookup.
Either upload the file via GUI or save the file in $SPLUNK_HOME/Splunk/etc/system/lookups
or app-specific $SPLUNK_HOME/etc/YourApp/apps/search/lookups
.
Or use malware-filter add-on to install this lookup and optionally auto-update it.
Columns:
host | path | message | updated |
---|---|---|---|
example.com | pup-filter PUP website detected | 2022-12-21T12:34:56Z | |
example2.com | /some-path | pup-filter PUP website detected | 2022-12-21T12:34:56Z |
All filters are also available as gzip- and brotli-compressed.
- Gzip: https://malware-filter.gitlab.io/malware-filter/pup-filter.txt.gz
- Brotli: https://malware-filter.gitlab.io/malware-filter/pup-filter.txt.br
This blocklist operates by blocking the whole website, popular websites are excluded from the filters.
Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains), Cloudflare Radar (top 1M domains) and this custom list.
If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request.
This blocklist only accepts new malicious URLs from malware-discoverer.
See wiki
Optional variables:
CLOUDFLARE_BUILD_HOOK
: Deploy to Cloudflare Pages.NETLIFY_SITE_ID
: Deploy to Netlify.CF_API
: Include Cloudflare Radar domains ranking. Guide to create an API token.
https://gitlab.com/curben/blog#repository-mirrors
src/: Creative Commons Zero v1.0 Universal and MIT License
filters: Derived from malware-discoverer with Zhouhan Chen's permission
malware-discoverer: All rights reserved by Zhouhan Chen
Tranco List: MIT License
Umbrella Popularity List: Available free of charge by Cisco Umbrella
Cloudflare Radar: Available to free Cloudflare account