All the answers to your questions can be found in our frequently asked questions. If you can not find the answer to your question on this webpage, you can contact us.

How to contact you?

@ : SlPaAbMs@crdf.fr (remove all capital letters)
PGP Keys : https://pgp.crdf.fr/

What is the CRDF Threat Center?

The CRDF Threat Center is a service published by the independent French laboratory CRDF Labs. This service detects malicious URLs that violate our detection criteria and integrates these URLs into our databases to combat cybercrime.

CRDF Labs develops its own detection systems, sharing with others our threat intelligence data and technologies to fight and detect security risks. CRDF Labs is a nonprofit laboratory, independent and completely transparent to its users.

How do you detect malicious URLs?

The CRDF Labs laboratory has its own R & D and its own detection and analysis tools. The CRDF Threat Center is a demonstration of our unique know-how in the detection of security risks on the Internet.

These technologies are based on our old Blockulicious, Blockulicious DNS and CRDF Sandbox products.

Why are URLs censored on your homepage?

We do not want anyone to be infected with this homepage accessible to everyone. We prefer someone interested in our databases to come forward and contact us to discuss possible access to CRDF Threat Center's private area.

Do you sell your technologies?

No. The CRDF Threat Center is a non-commercial project and our internal technologies are not for sale.

Your database is distributed under what license?

If you wish to use our services or our database, you must comply with this license and our terms of use (ToS).

Why is my website in your database?

If your website is contained in our database, our systems have found a violation of our detection criteria. Thank you for complying with it to be removed from our database and make a false positive statement. CRDF Labs never indicates exactly why a URL is embedded in our database.

Can you tell me exactly which detection criteria my website does not respect?

No, sorry. CRDF Labs never gives more information about a website considered contrary to our detection criteria. CRDF Labs is not intended to provide any evidence that a website is against our detection criteria. The purpose of CRDF Labs is to protect its users against security risks associated with a browser over the Internet.

Why does your false positive reporting system tell me that the URL is not contained in our databases?

If our system tells you that the URL is not contained in our database, your website is not contained in our database and your website is not blacklisted. No need to contact us to ask for information, we would have nothing more to communicate to you.

I made a false positive statement and your system tells me that the offending URL has been removed and yet I still see on Virustotal. Is it normal?

This is perfectly normal. The propagation can take several hours to get synchronized with VirusTotal. It is not necessary to contact us to report this error. Everything is automatic and the process will automatically delete the detection on VirusTotal at the next occurrence.

If you still have it after hours, consider refreshing the report when scanning a VirusTotal URL.

To update the report on VirusTotal, please click on this icon:

How to get access to the private part?

All data accessible on the private part of the CRDF Threat Center are classified: TLP:AMBER

What is the purpose of accessing this private database?

The private part of the CRDF Threat Center gives you unlimited access to malicious samples and malicious URLs. Without this access, you cannot get our entire database. We recommend you if you want to get our threat intelligence to get private access.

How to formulate my request?

If you wish to have access to our database, please contact us by answering the following questions:

- who are you ?
- what are you looking for ?
- your motivations
- how are you going to use our data?
- your company ?
- will you exchange data with us (threat intelligence)?
- are you a computer security professional?
- Will you use our threat intelligence as commercial in your company?
- How do you integrate our data in your project?
- What is the valuable of our feed in your project?
- Can you send an sample of your threat intelligence that we can integrate in our feed in back of our private access?

With your request, please send us an example of the data you wish to exchange with CRDF Labs. For example, you can send us a sample of 100 URLs / samples so that we can study them.

You must understand that CRDF Labs is a completely non-commercial project and that a partnership allows us to develop on our side by exchanging data with you and vice versa. Without the exchange of data, we cannot exist.

We will study your request and we will get back to you shortly.

Required conditions :
- prohibited use of our database in a commercial context
- share data from the private party without authorization
- exchange data or Threat Intelligence with us on a regular basis

How to send us your request?

To send us your request, please contact us:

@ : SlPaAbMs@crdf.fr (remove all capital letters)
PGP Keys : https://pgp.crdf.fr/

Do your services have products that block websites?

No. We no longer have any products that allow us to block malicious sites in our database. Only users / companies using our database will block websites that we report as not meeting our detection criteria.

Where are you based?

We are French and we are based in Paris. We are not a company but an independent laboratory and without any legal status.

The captcha on your forms is not showing and tells me it is blocked. Why ?

If our captcha tells you that your IP address is suspicious and that it is not displayed, it means that you are using a VPN, Proxy, an IP address of a non-private Internet connection, an anonymized Internet connection, etc. .. If you want the captcha to appear, you must deactivate your VPN, Proxy or anonymization system.

We no longer whitelist IP addresses except in specific and specific cases. Please contact us only if you are a regular user of our systems. In all cases and for simplicity, we invite you to use our API which allows you to submit simply and without this restriction.

I would like free access to your entire database, is it possible?

Yes it is possible as long as you respect our license of use, that you use it non-commercial and that you share threat intelligence data with us.

Classification of malicious URLs

* Phishing: URL: this web address is recognized by our engines as a phishing address
* Malware: URL: this address is recognized by our engines as an address distributing malware (exe, dll, dmg, etc.)
* Malicious: URL: this address is recognized by our engines as an address being in disharmony with our detection criteria
* Suspect: URL: this address is recognized by our engines as a suspicious address and is probably an infection source / does not meet our detection criteria

Are malicious domain names deleted from your databases?

Yes, we have an automatic system that ensures the overall consistency of the database. A website that meets our new detection criteria will be automatically removed from the database after a certain period of time. This time is random and we can not guarantee that your Site will be deleted. Please refer to the false positive statement.

How to make a domain name no longer integrate your database?

If your domain name often includes our database, you can ask to integrate our whitelist. To do this, you must contact us.

However, your site must comply with the following to be added:

- have been detected more than twice and two false positive procedures completed / processed
- be a site with a large audience

Can you provide evidence of non-compliance with your detection criteria?

CRDF Labs is under no obligation to provide evidence of non-compliance with our detection criteria. The service is provided as is without warranty and is non-commercial. CRDF Labs is completely independent and when we add a site to our database, it is not blocked anywhere and it can not be harmful such as antivirus or blockages from Google SafeBrowing for example. We will provide evidence in specific cases and within a legal framework governed by French law.

How to use the free feed?

The Free Feed allows you to download our hashed database to verify that a domain name is included in our database. You should not use our feed for commercial use. By using this feed, you agree to accept our legal notice and conditions of use.

We make a hash256 which domain name to prevent theft of our data. If you wish to obtain our database without this constraining system, you can contact us to obtain access to the private part of the CRDF Threat Center.

This feed is updated every 3 days. No need to download it 20 times a day therefore. We will block malicious behavior that does not follow these rules.

Each domain name is hashed with sha256 and each line corresponds respectively to a domain name without the www.

On your side, you must process this file to make it readable. With this hash system, you can for example search for a domain name in our database. Example: sha256 (the domain name to search for) = hashA - Search in each line of hashA. If it is contained in the file then it is in our database. If it is no longer contained or not contained, then it is not in our database.

Example of use of our database:

The hashes correspond to the sha256 of domain names. Example: sha256 (www.crdf.fr) = sha256 (crdf.fr) = 05deeefd3ed03fe034b55100256306dad3ceaecd51ea8a58c6b253a43a96d7e3 (You must delete the "www." in the domain name.).





Can you help us finance your laboratory?

Thank you for your help and your desire to help us. Unfortunately, CRDF Labs is a completely independent laboratory that is completely for non-commercial purposes.

If we agree to be funded by different organizations or individuals, we will no longer be independent. CRDF Labs is 100% self-funded and we want to stay in this format for the time being.

We are therefore sorry but cannot accept your help.

Why did I not receive a response to my emails?

If you have not received a response to your email, you should not have followed the procedure indicated to declare a false positive, declare an error in the treatment of your false positive or you did not follow a specific procedure. These procedures allow us to deal with the many requests that we constantly receive.

Please follow the procedure and contact us if you have a problem with this procedure.

What antiviral engines do you use?

For our static analyzes, we use the following engines:

- Avast (thank you very much to them, we like this engine very much)
- Dr.Web
- ClamAV
- Ikarus (thank you very much to them)

The Avast and Ikarus engine is provided to us free of charge as part of a partnership between the publisher and CRDF Labs. Thank you very much to them for their trust.

From which IP addresses do you scan the Internet network?

We cannot clearly tell you our output IP addresses from our scanning tools for security reasons. Indeed, malicious individuals could block our IP addresses to prevent us from scanning their infrastructures.

What is the forensic tool?

The CRDF Threat Center Forensic allows you to search for markers (IoCs) corresponding to infections. This system allows you to view the data associated with an IP address or a domain name over time. Thus, the system will be able to correlate all the data.

It allows you to search for the following indicators:
- domain names
- ip addresses

Each marker is analyzed several times by our system and it is able to give you an overview over time of a given marker.

The data that we save (not exhaustive):

- associated IP addresses
- Headers
- NS
- MX
- Open TCP / UDP ports
- Reverse DNS
- Malicious activity
- Evolution of the marker
- IP and related domain names

A search engine allows you to search our databases for specific markers and also in data (IP addresses, specific threats, etc.).

Some screenshots of the service: