# PUP Domains Blocklist > Edit 2021/01/08: All mirrors' links have been updated. The main download link "curben.gitlab.io/malware-filter/" _is not affected_. A blocklist of domains that host potentially unwanted programs (PUP), based on the [malware-discoverer](https://github.com/zhouhanc/malware-discoverer). Blocklist is updated twice a day. There are multiple formats available, refer to the appropriate section according to the program used: - uBlock Origin (uBO) -> [URL-based](#url-based) section (recommended) - Pi-hole -> [Domain-based](#domain-based) or [Hosts-based](#hosts-based) section - AdGuard Home -> [Domain-based (AdGuard Home)](#domain-based-adguard-home) or [Hosts-based](#hosts-based) section - AdGuard browser extension -> [URL-based (AdGuard)](#url-based-adguard) - Vivaldi -> [URL-based (Vivaldi)](#url-based-vivaldi) - [Hosts](#hosts-based) - [Dnsmasq](#dnsmasq) - BIND -> BIND [zone](#bind) or [RPZ](#response-policy-zone) - [Unbound](#unbound) - [dnscrypt-proxy](#dnscrypt-proxy) - Internet Explorer -> [Tracking Protection List (IE)](#tracking-protection-list-ie) - [Snort2](#snort2) - [Snort3](#snort3) - [Suricata](#suricata) Not sure which format to choose? See [Compatibility](https://gitlab.com/curben/urlhaus-filter/wikis/compatibility) page. Check out my other filters: - [urlhaus-filter](https://gitlab.com/curben/urlhaus-filter) - [phishing-filter](https://gitlab.com/curben/phishing-filter) - [tracking-filter](https://gitlab.com/curben/tracking-filter) ## URL-based Import the following URL into uBO to subscribe: - https://curben.gitlab.io/malware-filter/pup-filter.txt _included by default in uBO >=[1.39.0](https://github.com/gorhill/uBlock/releases/tag/1.39.0); to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "PUP URL Blocklist"._
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter.txt
## URL-based (AdGuard) Import the following URL into AdGuard browser extension to subscribe: - https://curben.gitlab.io/malware-filter/pup-filter-ag.txt
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-ag.txt
## URL-based (Vivaldi) _Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"_ Import the following URL into Vivaldi's **Tracker Blocking Sources** to subscribe: - https://curben.gitlab.io/malware-filter/pup-filter-vivaldi.txt
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-vivaldi.txt
## Domain-based This blocklist includes domains and IP addresses. - https://curben.gitlab.io/malware-filter/pup-filter-domains.txt
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-domains.txt
## Domain-based (AdGuard Home) This AdGuard Home-compatible blocklist includes domains and IP addresses. - https://curben.gitlab.io/malware-filter/pup-filter-agh.txt
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-agh.txt
## Hosts-based This blocklist includes domains only. - https://curben.gitlab.io/malware-filter/pup-filter-hosts.txt
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-hosts.txt
## Dnsmasq This blocklist includes domains only. ### Install ``` # Create a new folder to store the blocklist mkdir -p /usr/local/etc/dnsmasq/ # Create a new cron job for daily update printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-dnsmasq.conf" -o "/usr/local/etc/dnsmasq/pup-filter-dnsmasq.conf"\n' > /etc/cron.daily/pup-filter # cron job requires execution permission chmod 755 /etc/cron.daily/pup-filter # Configure dnsmasq to use the blocklist printf "\nconf-file=/usr/local/etc/dnsmasq/pup-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf ``` - https://curben.gitlab.io/malware-filter/pup-filter-dnsmasq.conf
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-dnsmasq.conf
## BIND This blocklist includes domains only. ### Install ``` # Create a new folder to store the blocklist mkdir -p /usr/local/etc/bind/ # Create a new cron job for daily update printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-bind.conf" -o "/usr/local/etc/bind/pup-filter-bind.conf"\n' > /etc/cron.daily/pup-filter # cron job requires execution permission chmod 755 /etc/cron.daily/pup-filter # Configure BIND to use the blocklist printf '\ninclude "/usr/local/etc/bind/pup-filter-bind.conf";\n' >> /etc/bind/named.conf ``` Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists): ``` $TTL 86400 ; one day @ IN SOA ns.nullzone.loc. ns.nullzone.loc. ( 2017102203 28800 7200 864000 86400 ) NS ns.nullzone.loc. A 0.0.0.0 @ IN A 0.0.0.0 * IN A 0.0.0.0 ``` Zone file is derived from [here](https://github.com/tomzuu/blacklist-named/blob/master/null.zone.file). - https://curben.gitlab.io/malware-filter/pup-filter-bind.conf
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-bind.conf
## Response Policy Zone This blocklist includes domains only. - https://curben.gitlab.io/malware-filter/pup-filter-rpz.conf
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-rpz.conf
## Unbound This blocklist includes domains only. ### Install ``` # Create a new folder to store the blocklist mkdir -p /usr/local/etc/unbound/ # Create a new cron job for daily update printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-unbound.conf" -o "/usr/local/etc/unbound/pup-filter-unbound.conf"\n' > /etc/cron.daily/pup-filter # cron job requires execution permission chmod 755 /etc/cron.daily/pup-filter # Configure Unbound to use the blocklist printf '\n include: "/usr/local/etc/unbound/pup-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf ``` - https://curben.gitlab.io/malware-filter/pup-filter-unbound.conf
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-unbound.conf
## dnscrypt-proxy ### Install ``` # Create a new folder to store the blocklist mkdir -p /etc/dnscrypt-proxy/ # Create a new cron job for daily update printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-dnscrypt-blocked-names.txt" -o "/etc/dnscrypt-proxy/pup-filter-dnscrypt-blocked-names.txt"\n' > /etc/cron.daily/pup-filter # cron job requires execution permission chmod 755 /etc/cron.daily/pup-filter ``` Configure dnscrypt-proxy to use the blocklist: ``` diff [blocked_names] + blocked_names_file = '/etc/dnscrypt-proxy/pup-filter-dnscrypt-blocked-names.txt' ``` - https://curben.gitlab.io/malware-filter/pup-filter-dnscrypt-blocked-names.txt
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-dnscrypt-blocked-names.txt
## Tracking Protection List (IE) This blocklist includes domains only. - https://curben.gitlab.io/malware-filter/pup-filter.tpl
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter.tpl
## Snort2 This ruleset includes online URLs only. Not compatible with [Snort3](#snort3). ### Install ``` # Download ruleset curl -L "https://curben.gitlab.io/malware-filter/pup-filter-snort2.rules" -o "/etc/snort/rules/pup-filter-snort2.rules" # Create a new cron job for daily update printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-snort2.rules" -o "/etc/snort/rules/pup-filter-snort2.rules"\n' > /etc/cron.daily/pup-filter # cron job requires execution permission chmod 755 /etc/cron.daily/pup-filter # Configure Snort to use the ruleset printf "\ninclude \$RULE_PATH/pup-filter-snort2.rules\n" >> /etc/snort/snort.conf ``` - https://curben.gitlab.io/malware-filter/pup-filter-snort2.rules
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-snort2.rules
## Snort3 This ruleset includes online URLs only. Not compatible with [Snort2](#snort2). ### Install ``` # Download ruleset curl -L "https://curben.gitlab.io/malware-filter/pup-filter-snort3.rules" -o "/etc/snort/rules/pup-filter-snort3.rules" # Create a new cron job for daily update printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-snort3.rules" -o "/etc/snort/rules/pup-filter-snort3.rules"\n' > /etc/cron.daily/pup-filter # cron job requires execution permission chmod 755 /etc/cron.daily/pup-filter ``` Configure Snort to use the ruleset: ``` diff # /etc/snort/snort.lua ips = { variables = default_variables, + include = 'rules/pup-filter-snort3.rules' } ``` - https://curben.gitlab.io/malware-filter/pup-filter-snort3.rules
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-snort3.rules
## Suricata This ruleset includes online URLs only. ### Install ``` # Download ruleset curl -L "https://curben.gitlab.io/malware-filter/pup-filter-suricata.rules" -o "/etc/suricata/rules/pup-filter-suricata.rules" # Create a new cron job for daily update printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-suricata.rules" -o "/etc/suricata/rules/pup-filter-suricata.rules"\n' > /etc/cron.daily/pup-filter # cron job requires execution permission chmod 755 /etc/cron.daily/pup-filter ``` Configure Suricata to use the ruleset: ``` diff # /etc/suricata/suricata.yaml rule-files: - local.rules + - pup-filter-suricata.rules ``` - https://curben.gitlab.io/malware-filter/pup-filter-suricata.rules
Mirrors - https://curben.gitlab.io/pup-filter/pup-filter-suricata.rules
## Issues This blocklist operates by blocking the **whole** website, popular websites are excluded from the filters. *Popular* websites are as listed in the [Umbrella Popularity List](https://s3-us-west-1.amazonaws.com/umbrella-static/index.html) (top 1M domains + subdomains), [Tranco List](https://tranco-list.eu/) (top 1M domains) and this [custom list](src/exclude.txt). If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an [issue](https://gitlab.com/curben/pup-filter/issues) or [merge request](https://gitlab.com/curben/pup-filter/merge_requests). This blocklist **only** accepts new malicious URLs from [malware-discoverer](https://github.com/zhouhanc/malware-discoverer). ## Cloning Since the filter is updated frequently, cloning the repo would become slower over time as the revision grows. Use shallow clone to get the recent revisions only. Getting the last five revisions should be sufficient for a valid MR. `git clone --depth 5 https://gitlab.com/curben/pup-filter.git` ## License [src/](src/): [CC0](LICENSE.md) filters: Derived from [malware-discoverer](https://github.com/zhouhanc/malware-discoverer) with [Zhouhan Chen](https://zhouhanc.com/)'s permission [malware-discoverer](https://github.com/zhouhanc/malware-discoverer): All rights reserved by [Zhouhan Chen](https://zhouhanc.com/) [Tranco List](https://tranco-list.eu/): MIT License [Umbrella Popularity List](https://s3-us-west-1.amazonaws.com/umbrella-static/index.html): Available free of charge by Cisco Umbrella