Analyzing IPs with MetaDefender Cloud

About

MetaDefender Cloud allows users to check IP addresses and domains for malicious behavior using many IP and domain reputation sources. This functionality makes it possible to identify threats like botnets or phishing sites that would not be found through scanning files when accessing content. By providing a standardized interface for the leading IP reputation sources, MetaDefender Cloud aggregates data on whether an IP, domain or URL address should be trusted.

The potential maliciousness of an IP address or domain can change frequently. To keep our results up-to-date and reduce false positives, we only save our results from the IP reputation sources for 15 days.

The scan result for each provider will follow this sample structure:

Below are additional explanations for the scan results we return for IP addresses and domains.

Providers

We are currently using many sources to collect malicious addresses. Below is a list of the sources that MetaDefender Cloud currently incorporates. This list is subject to change depending on the availability and reliability of its contents.

Status

There are three possible results for each of the sources listed below. MetaDefender Cloud will categorize anything as Blocklisted if it is reported as malicious by any of the sources. Our policy is to keep these up to 15 days in order to limit potential false positives.

See more details about our expiration policy in the Last Detected section.

0	Allowlisted: IP is listed by the source in their allowlist. Note: Not all sources provide allowlists.
1	Blocklisted: IP is listed by the source in their blocklist. Refer to the source for more information regarding their blocklist.
3	Failed to scan: The results could not be retrieved from our servers
5	Unknown: The source has not listed this IP address in either their blocklist or allowlist.

Last Updated

Currently, MetaDefender Cloud's IP-Domain database is updated daily for each source, which is indicated in the "update_time" field of the results. However, this does not necessarily correspond directly with the source releasing their own list.

Last Detected

The "detect_time" indicates the last time an IP address was confirmed as belonging to a feed. There are two different types of feed (i.e., blocklist or allowlist). One is reset with only active bad IPs and the other is accumulated with newly-found bad IPs.

Assessment

MetaDefender Cloud utilizes the assessments below:

Assessment	Description
botnet	Typically a host used to control another host or malicious process. Matching traffic would usually indicate infection. Typically used to identify compromised hosts.
malware	Typically a host used to exploit and/or drop malware to a host for the first time. Typically NOT a botnet controller (although they could overlap). Communications with these indicators may lead to a compromise and then to a possible botnet controller communication (if the infection was successful). Typically used in preemptive blocking, alerts may not indicate infection was successful.
phishing	A luring attempt at a victim to exfiltrate some sort of credential. A targeted attempt at getting someone to unintentionally cause infection (spear phishing).
scanner	Typically infrastructure being used to scan or brute-force (SSH, RDP, telnet, etc...).
spam	Typically infrastructure being used to facilitate the sending of spam.
suspicious	There are reasons to believe this address might be conducting malicious activity
bruteforce	Such addresses have been used to conduct bruteforce password checking on login pages
tor	The address has been spotted on the "tor" network
blocklist	This address has been included in a blocklist for unspecified reasons
high risk	Highly risky address
trustworthy	Denotes that a specific entity (usually an address) should be considered harmless in nature. Denotes that blocking an entity would result in mass collateral damage (e.g., Yahoo virtually-hosted services).