URL classified as Malware but not sinkholed

L2 Linker

URL classified as Malware but not sinkholed



Quick question for a specific URL (cia.toh.info)  This URL is classified as malware in PAN-DB but doesn't show ip in the AV release notes as a malware site so it doesn't get sinkholed when we do a DNS lookup for that url.  We've noticed other URLs exhibiting the same behavior.


Has anyone else seen this?  Is there a disconnect between the PAN-DB classification and the AV (sinkhole) database?



L7 Applicator

Re: URL classified as Malware but not sinkholed

Hi @epeeler


These two sources aren't in sync completely. This domain was sinkholed with a WF update from 20160505. Some time after that the domain was removed from the dns signatures. This needs to be done over time, when it is "safe" to remove it. The list of dns signatures would simply be too big for the firewalls to handle if it would contain ALL malware domains from PAN-DB. For the dns signatures there is no cloud lookup like with PAN-DB.

@reaper: Do you agree?




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!