2. Analyzing IPs with MetaDefender Cloud

About

MetaDefender Cloud allows users to check IP addresses and domains for malicious behavior using many IP and domain reputation sources. This functionality makes it possible to identify threats like botnets or phishing sites that would not be found through scanning files when accessing content. By providing a standardized interface for the leading IP reputation sources, MetaDefender Cloud aggregates data on whether an IP, domain or URL address should be trusted.

The potential maliciousness of an IP address or domain can change frequently. To keep our results up-to-date and reduce false positives, we only save our results from the IP reputation sources for 15 days.

The scan result for each provider will follow this sample structure:

{
"provider": "spamhaus.org",
"assessment": "botnet",
"detect_time": "2019-03-08T09:33:58.303966Z",
"update_time": "2019-03-08T09:33:58.560775",
"status": 1
}

Below are some additional explanations for the scan results we return for IP addresses and domains.

Status

There are three possible results for each of the sources listed below. MetaDefender Cloud will categorize anything as Blacklisted if it is reported as malicious by any of the sources. Our policy is to keep these up to 15 days in order to limit potential false positives.

See more details about our expiration policy in the Last Detected section.

0

Whitelisted: IP is listed by the source in their whitelist. Note: Not all sources provide whitelists.

1

Blacklisted: IP is listed by the source in their blacklist. Refer to the source for more information regarding their blacklist.

3

Failed to scan: The results could not be retrieved from our servers

5

Unknown: The source has not listed this IP address in either their blacklist or whitelist.

Last Updated

Currently, MetaDefender Cloud's IP-Domain database is updated daily for each source, which is indicated in the "update_time" field of the results. However, this does not necessarily correspond directly with the source releasing their own list.

Last Detected

The "detect_time" indicates the last time an IP address was confirmed as belonging to a feed. There are two different types of feed (i.e., block-list or whitelist). One is reset with only active bad IPs and the other is accumulated with newly-found bad IPs.

Assessment

MetaDefender Cloud utilizes the assessments below:

botnet

  • Typically a host used to control another host or malicious process.

  • Matching traffic would usually indicate infection.

  • Typically used to identify compromised hosts.

malware

  • Typically a host used to exploit and/or drop malware to a host for the first time.

  • Typically NOT a botnet controller (although they could overlap).

  • Communications with these indicators may lead to a compromise and then to a possible botnet controller communication (if the infection was successful).

  • Typically used in preemptive blocking, alerts may not indicate infection was successful.

phishing

  • A luring attempt at a victim to exfiltrate some sort of credential.

  • A targeted attempt at getting someone to unintentionally cause infection (spear phishing).

scanner

  • Typically infrastructure being used to scan or brute-force (SSH, RDP, telnet, etc...).

spam

  • Typically infrastructure being used to facilitate the sending of spam.

suspicious

  • There are reasons to believe this address might be conducting malicious activity

bruteforce

  • Such addresses have been used to conduct bruteforce password checking on login pages

tor

  • The address has been spotted on the "tor" network

blacklist

  • This address has been included in a blacklist for unspecified reasons

high risk

  • Highly risky address

trustworthy

  • Denotes that a specific entity (usually an address) should be considered harmless in nature.

  • Denotes that blocking an entity would result in mass collateral damage (e.g., Yahoo virtually-hosted services).