Closed XmTX1994 closed 3 years ago
Currently the export of the malware domain list returns an empty result. I can't tell if it is temporary or permanent.
As a side effect, neither ip from domain resolution nor geolocalization are working at the moment.
The third-party malware database service is down. The latest MobSF and docker uses a previous db bundled with it. Geolocation is an independent service, it's not related with Malware DB.
I am working with the last tagged version (v3.1.1) and wanted to say with "neither ip from domain resolution nor geolocalization are working at the moment" that MobSF fails with an exception before executing these sub-process steps: https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/v3.1.1/MalwareAnalyzer/views/domain_check.py#L67
IP from domain resolution, geolocationing, and malware check are, of course, implemented using three different repositories (gethostbyname
, IP2Location DB, and Malware DB). Nevertheless, the absence of the Malware DB leads to failure of all these sub-process steps.
I guess these two commits are the ones in order to patch older versions: https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/b81eab9781948356a1cda764274d221b77c617f1 https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/0398f9e167b86e597cec2d08653ec3184d20dc8a
The latest is master, 3.1.9 at this time which has the fixes. Tagged releases are cut only after major feature changes. Also verified that the features are working as expected on the latest master and the latest docker image.
Reached out to MDL for an update https://twitter.com/OpenSecurity_IN/status/1334694477407997952?s=20
No update yet. We will be changing to a different source when a feed is available.
I realize this is an old (and closed) issue, but recently, I found something that could help.
There is an updated list of malware domains that can be found here: https://hole.cert.pl/domains/domains.txt. This list is updated 5 minutes after a domain is flagged as malicious, and according to cert.pl, each website submission will be verified by at least two human operators from the CERT Polska team before being added to the list. A JSON version is available here that contains the insertion date for each listed domain so we can check its accuracy and update status.
This list is smaller than the original list contained in MobSF (about 187K domains versus 363K domains from MDL), but since MDL no longer exists and the available list is outdated, this probably produces better results than continuing to use the old MDL list.
Thanks, I will add a feature request to track supporting this.
[INFO] 24/Nov/2020 10:45:48 - Malware Database format from malwaredomainlist.com has changed. Database is not updated. Please report to: https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues