FAQ

All the answers to your questions can be found in our frequently asked questions. If you can not find the answer to your question on this webpage, you can contact us.

What is the CRDF Threat Center?How do you detect malicious URLs?Why are URLs censored on your homepage?Do you sell your technologies?Your database is distributed under what license?Why is my website in your database?Can you tell me exactly which detection criteria my website does not respect?Why does your false positive reporting system tell me that the URL is not contained in our databases?I made a false positive statement and your system tells me that the offending URL has been removed and yet I still see on Virustotal. Is it normal?How to get access to the private part?Do your services have products that block websites?Where are you based?The captcha on your forms is not showing and tells me it is blocked. Why ?I would like free access to your entire database, is it possible?Classification of malicious URLsAre malicious domain names deleted from your databases?How do I get whitelisted and never get into the CRDF Threat Center again?Can you provide evidence of non-compliance with your detection criteria?How to use the free feed?Can you help us finance your laboratory?Why did I not receive a response to my emails?What antiviral engines do you use?From which IP addresses do you scan the Internet network?What is the forensic tool?I am a service provider who receives your abuse reports. How to stop these alerts?You are impacting my business with your company because you consider us malicious. Is it possible ?How to increase the limitation imposed by the API?I received an email after a false positive request asking me for more information. How can I provide it?What is the background check?What is CRDF Foresight?What is the TLP (TRAFFIC LIGHT PROTOCOL)?I am a journalist or a media, I would like to get some information. Is it possible?

What is the CRDF Threat Center?


The CRDF Threat Center is a service published by the independent French laboratory CRDF Labs. This service detects malicious URLs that violate our detection criteria and integrates these URLs into our databases to combat cybercrime.

CRDF Labs develops its own detection systems, sharing with others our threat intelligence data and technologies to fight and detect security risks. CRDF Labs is a nonprofit laboratory, independent and completely transparent to its users.

How do you detect malicious URLs?


The CRDF Labs laboratory has its own R & D and its own detection and analysis tools. The CRDF Threat Center is a demonstration of our unique know-how in the detection of security risks on the Internet.

These technologies are based on our old Blockulicious, Blockulicious DNS and CRDF Sandbox products.

Why are URLs censored on your homepage?


We do not want anyone to be infected with this homepage accessible to everyone. We prefer someone interested in our databases to come forward and contact us to discuss possible access to CRDF Threat Center's private area.

Do you sell your technologies?


No. The CRDF Threat Center is a non-commercial project and our internal technologies are not for sale.

Your database is distributed under what license?


If you wish to use our services or our database, you must comply with this license and our terms of use (ToS).

Why is my website in your database?


If your website is contained in our database, our systems have found a violation of our detection criteria. Thank you for complying with it to be removed from our database and make a false positive statement. CRDF Labs never indicates exactly why a URL is embedded in our database.

Can you tell me exactly which detection criteria my website does not respect?


No, sorry. CRDF Labs never gives more information about a website considered contrary to our detection criteria. CRDF Labs is not intended to provide any evidence that a website is against our detection criteria. The purpose of CRDF Labs is to protect its users against security risks associated with a browser over the Internet.

You should understand that CRDF Labs is a non-commercial and voluntary project. As such, we do not wish to respond to these requests for reasons of efficiency. Indeed, it would be impossible for our services to give a personalised answer to all the people who contact us.

If you contact us for a specific reason, you will not receive a reply from us. Please take this into consideration before contacting us.

Why does your false positive reporting system tell me that the URL is not contained in our databases?


If our system tells you that the URL is not contained in our database, your website is not contained in our database and your website is not blacklisted. No need to contact us to ask for information, we would have nothing more to communicate to you.

I made a false positive statement and your system tells me that the offending URL has been removed and yet I still see on Virustotal. Is it normal?


This is perfectly normal. The propagation can take several hours to get synchronized with VirusTotal. It is not necessary to contact us to report this error. Everything is automatic and the process will automatically delete the detection on VirusTotal at the next occurrence.

If you still have it after hours, consider refreshing the report when scanning a VirusTotal URL.

To update the report on VirusTotal, please click on this icon:


How to get access to the private part?


All data accessible on the private part of the CRDF Threat Center are classified: TLP:AMBER+STRICT

What is the purpose of accessing this private database?

In the private area of the CRDF Threat Center, you will get unlimited and unconstrained access to our Threat Intelligence. Without this access, you will not have full access to our Threat Intelligence.

In particular, you will have access to:

- the complete and incremental database of our malicious URLs
- access to all our malware samples
- complete database of domain names/IP addresses we have analyzed (from our forensic tool)

How to formulate my request?

If you wish to have access to our database, please contact us by answering the following questions:

- who are you ?
- what are you looking for ?
- your motivations
- how are you going to use our data?
- your company ?
- will you exchange data with us (threat intelligence)?
- are you a computer security professional?
- Will you use our threat intelligence as commercial in your company?
- How do you integrate our data in your project?
- What is the valuable of our feed in your project?
- Can you send an sample of your threat intelligence that we can integrate in our feed in back of our private access?

With your request, please send us an example of the data you wish to exchange with CRDF Labs. For example, you can send us a sample of 100 URLs / samples so that we can study them.

You must understand that CRDF Labs is a completely non-commercial project and that a partnership allows us to develop on our side by exchanging data with you and vice versa. Without the exchange of data, we cannot exist.

We will study your request and we will get back to you shortly.

Required conditions :
- prohibited use of our database in a commercial context
- share data from the private party without authorization
- exchange data or Threat Intelligence with us on a regular basis

If you cannot exchange threat intelligence data with us, we can come to an agreement.

In all cases, we have a confidentiality agreement (NDA) signed to protect our data and protect the information contained.
We no longer give access to our data without signing this confidentiality agreement allowing us to guarantee the confidentiality of the data exchanged.

In addition to this confidentiality agreement, we perform a background check to ensure that you meet the CRDF Labs validation criteria.

How to send us your request?

To send us your request, please contact us:



@ : [email protected] (remove all capital letters)
PGP Keys : https://pgp.crdf.fr/

Do your services have products that block websites?


No. We no longer have any products that allow us to block malicious sites in our database. Only users / companies using our database will block websites that we report as not meeting our detection criteria.

Where are you based?


We are French and we are based in Paris. We are not a company but an independent laboratory and without any legal status.

The captcha on your forms is not showing and tells me it is blocked. Why ?


If our captcha tells you that your IP address is suspicious and that it is not displayed, it means that you are using a VPN, Proxy, an IP address of a non-private Internet connection, an anonymized Internet connection, etc. .. If you want the captcha to appear, you must deactivate your VPN, Proxy or anonymization system.

We no longer whitelist IP addresses except in specific and specific cases. Please contact us only if you are a regular user of our systems. In all cases and for simplicity, we invite you to use our API which allows you to submit simply and without this restriction.

I would like free access to your entire database, is it possible?


Yes it is possible as long as you respect our license of use, that you use it non-commercial and that you share threat intelligence data with us.

Classification of malicious URLs


* Phishing:URL : this web address is recognized by our engines as a phishing address
* Malware:URL : this address is recognized by our engines as an address distributing malware (exe, dll, dmg, etc.)
* Malicious:URL : this address is recognized by our engines as an address being in disharmony with our detection criteria
* Suspect:URL : this address is recognized by our engines as a suspicious address and is probably an infection source / does not meet our detection criteria
* GPDR/Law:URL : This website or company does not comply with current laws regarding GPDR (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_fr). We have the necessary evidence to demonstrate non-compliance with this European law.

Are malicious domain names deleted from your databases?


Yes, we have an automatic system that ensures the overall consistency of the database. A website that meets our new detection criteria will be automatically removed from the database after a certain period of time. This time is random and we can not guarantee that your Site will be deleted. Please refer to the false positive statement.

How do I get whitelisted and never get into the CRDF Threat Center again?


WARNING: this procedure does not allow you to have CRDF Labs remove your website from our databases. This PROCEDURE ONLY allows you to request that your domain name be added to our system so that it is never added again. If you wish to report a false positive and have your website removed from our database, please go to the appropriate procedure accessible from the CRDF Threat Center.

CRDF Labs integrates in its analysis systems a white list allowing it to consider domain names as safe and which will be automatically ignored by our engines.

We can only whitelist one or more domain names. We cannot recognize a specific marker other than a domain name and/or IP address.

If you want to be added to our whitelist, you must meet the following conditions:

- be a site with a large audience and/or recognized in your field of activity
- demonstrate that your activity does not violate our detection criteria (if you have been added to our database, there is a reason)
- have completed three (*3*) false positive requests through our removal process

If you meet these criteria, you can contact us and request to be added to our whitelist. Don't forget to demonstrate that your activity is legitimate according to our detection criteria.

Can you provide evidence of non-compliance with your detection criteria?


CRDF Labs is under no obligation to provide evidence of non-compliance with our detection criteria. The service is provided as is without warranty and is non-commercial. CRDF Labs is completely independent and when we add a site to our database, it is not blocked anywhere and it can not be harmful such as antivirus or blockages from Google SafeBrowing for example. We will provide evidence in specific cases and within a legal framework governed by French law.

How to use the free feed?


The Free Feed allows you to download our hashed database to verify that a domain name is included in our database. You should not use our feed for commercial use. By using this feed, you agree to accept our legal notice and conditions of use.

We make a hash256 which domain name to prevent theft of our data. If you wish to obtain our database without this constraining system, you can contact us to obtain access to the private part of the CRDF Threat Center.

This feed is updated every 15 days. No need to download it 20 times a day therefore. We will block malicious behavior that does not follow these rules.

Each domain name is hashed with sha256 and each line corresponds respectively to a domain name without the www.

On your side, you must process this file to make it readable. With this hash system, you can for example search for a domain name in our database. Example: sha256 (the domain name to search for) = hashA - Search in each line of hashA. If it is contained in the file then it is in our database. If it is no longer contained or not contained, then it is not in our database.

Example of use of our database:

The hashes correspond to the sha256 of domain names. Example: sha256 (www.crdf.fr) = sha256 (crdf.fr) = 05deeefd3ed03fe034b55100256306dad3ceaecd51ea8a58c6b253a43a96d7e3 (You must delete the "www." in the domain name.).


**
Example:
**

jojoquiasa.com
crdf.fr
perdu.com
86.182.199.11

***

7df5d3bd3df94fc02729244067e602a8d37231f536f7509bcd1a5b11a3a3c30d
05deeefd3ed03fe034b55100256306dad3ceaecd51ea8a58c6b253a43a96d7e3
0b197971847d0eb5516e1d956ebcd6584310b1462145192dc7f41287b1101b34
10f41ccba3df9ae5199fc02256cfdb98d9ed26a465ab4545afedaa57303aa272

Can you help us finance your laboratory?


CRDF Labs is entirely self-financed to maintain its independence. However, our self-hosted infrastructure costs us in energy and material.

If you would like to make a donation, you can click on the "Donate" button. You can also contact us to find a way to fund us or even encourage us :).

Thank you for your help.

Why did I not receive a response to my emails?


If you have not received a response to your email, you should not have followed the procedure indicated to declare a false positive, declare an error in the treatment of your false positive or you did not follow a specific procedure. These procedures allow us to deal with the many requests that we constantly receive.

Please follow the procedure and contact us if you have a problem with this procedure.

What antiviral engines do you use?


For our static analyzes, we use the following engines:

- Avast (thank you very much to them, we like this engine very much)
- Dr.Web
- ClamAV
- Ikarus (thank you very much to them)

The Avast and Ikarus engine is provided to us free of charge as part of a partnership between the publisher and CRDF Labs. Thank you very much to them for their trust.

From which IP addresses do you scan the Internet network?


We cannot clearly tell you our output IP addresses from our scanning tools for security reasons. Indeed, malicious individuals could block our IP addresses to prevent us from scanning their infrastructures.

What is the forensic tool?


The CRDF Threat Center Forensic allows you to search for markers (IoCs) corresponding to infections. This system allows you to view the data associated with an IP address or a domain name over time. Thus, the system will be able to correlate all the data.

It allows you to search for the following indicators:
- domain names
- ip addresses

Each marker is analyzed several times by our system and it is able to give you an overview over time of a given marker.

The data that we save (not exhaustive):

- associated IP addresses
- Headers
- NS
- MX
- Open TCP / UDP ports
- Reverse DNS
- DNSBL
- Malicious activity
- Evolution of the marker
- IP and related domain names

A search engine allows you to search our databases for specific markers and also in data (IP addresses, specific threats, etc.).

Some screenshots of the service:







I am a service provider who receives your abuse reports. How to stop these alerts?


To stop these alerts, you can click on this link indicated in our emails which will allow you to block all future alerts.

If you host products shared via the same IP address (VPN, Various services, Proxy, etc.), it is your responsibility to secure these accesses. CRDF Labs does not detect illegal activity for nothing. We will also not be able to delete you from our databases.

You are impacting my business with your company because you consider us malicious. Is it possible ?


This argument is totally false. We cannot impact your business with our detection because we are not blocking anything.

Like antiviral products, their customers cannot access detected malicious websites. With us, we do not carry out any blocking. It is simply a directory.

This argument is therefore totally false. Your business may not be impacted by our services.

How to increase the limitation imposed by the API?


To increase the limitations imposed by your API key, you must contact us with a precise description of your needs.

After study, we will come back to you to give you our decision.

I received an email after a false positive request asking me for more information. How can I provide it?


After a false positive request via our form, you may be contacted by our experts to ask you for information and to clarify certain things.

This is the email you should have received:


Hello,

False Positive Reference #XXXXXXXXXXXXXXX

At your request, CRDF Labs conducted a new analysis of the domain name "domain.com".

We regret to inform you that we can not delete your domain name to our database since it corresponds to a malicious website (in confirmation with our criteria for detection and characterization of malicious websites).

Thank you kindly refer to the following page in our Knowledge Base to know our detection criteria: https://threatcenter.crdf.fr/criteria.html.
Thank you kindly note that we take very seriously the claims of false positives and we take all measures to respond favorably to your request.

///////
WARNING
///////

PLEASE READ CAREFULLY THE INFORMATION CONTAINED BELOW. THIS INFORMATION WILL LET YOU KNOW THAT YOU DO NOT AGREE WITH OUR DECISION.
PLEASE DO NOT CONTACT US WITHOUT FOLLOWING THIS PROCEDURE.

*** Important notes ***: CRDF Labs never gives more information about a website considered contrary to our detection criteria. CRDF Labs is not intended to provide any evidence that a website is against our detection criteria. The purpose of CRDF Labs is to protect its users against security risks associated with a browser over the Internet. So, you have to understand we cannot give you more details on adding a domain name in our database.

----

If you do not agree with this decision, please follow these few steps:

1/ A report containing additional data on your application is available at the following address:
https://threatcenter.crdf.fr/false_positive.php?ref=XXXXXXXXXXXXXXX

2/ If you want to report an error from our expert during the analysis of the website, please click on the following URL:
https://threatcenter.crdf.fr/false_positive.php?ref=XXXXXXXXXXXXXXX&recall

(By clicking on this URL, an expert will analyze the website again, please do not contact us if you do not click on this link)

WARNING: If you wish to report an error in the processing of your request, please report it to us by the above procedure (by following this link: https://threatcenter.crdf.fr/false_positive.php?ref=XXXXXXXXXXXXXXX&recall). We will not respond to your request if you do not follow the procedure.

----

As stated in this email, you do not need to contact us. You must click on the link provided which will allow you to specify the elements to the CRDF Labs expert via a form.

If you contact us to make comments outside of this procedure, you will not receive any response from us. Only this procedure allows us to process the false positive request. By following this process, you can be assured of a quick and reliable response.

What is the background check?


The background check is an internal investigation carried out by the CRDF Labs manager to determine whether you can access our data based on the information you have provided.

As you can imagine, the data contained in CRDF Labs is sensitive and we do not want malicious people to have access to it.

This brackground check allows us to verify and limit this risk by making it more difficult to interfere.

What is CRDF Foresight?


CRDF Labs Foresight is a machine learning technology developed by CRDF Labs.

The aim of this technology is to detect recently registered domain names that will be used in the future for phishing or typosquatting attacks.

The data from this service is unrestricted and is licensed under the Creative Commons BY-NC-SA 4.0 license (https://creativecommons.org/licenses/by-nc-sa/4.0/).

This technology is more accurate on ".fr" domain names but we will improve it in time to learn and make the technology more reliable on other tlds.

The system generates a CSV file with three fields: the domain name, the score and the verdict. The score corresponds to the probability that this marker will become malicious in the future.

To download this data, go to this address:

https://threatcenter.crdf.fr/public/foresight/

What is the TLP (TRAFFIC LIGHT PROTOCOL)?


The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). TLP only has four colors; any designations not listed in this standard are not considered valid by FIRST.

TLP provides a simple and intuitive schema for indicating when and how sensitive information can be shared, facilitating more frequent and effective collaboration. TLP is not a “control marking” or classification scheme. TLP was not designed to handle licensing terms, handling and encryption rules, and restrictions on action or instrumentation of information. TLP labels and their definitions are not intended to have any effect on freedom of information or “sunshine” laws in any jurisdiction.

TLP is optimized for ease of adoption, human readability and person-to-person sharing; it may be used in automated sharing exchanges, but is not optimized for that use.

TLP is distinct from the Chatham House Rule (when a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.), but may be used in conjunction if it is deemed appropriate by participants in an information exchange.

The source is responsible for ensuring that recipients of TLP information understand and can follow TLP sharing guidance.

If a recipient needs to share the information more widely than indicated by the original TLP designation, they must obtain explicit permission from the original source.

Community: Under TLP, a community is a group who share common goals, practices, and informal trust relationships. A community can be as broad as all cybersecurity practitioners in a country (or in a sector or region).


Organization: Under TLP, an organization is a group who share a common affiliation by formal membership and are bound by common policies set by the organization. An organization can be as broad as all members of an information sharing organization, but rarely broader.


Clients: Under TLP, clients are those people or entities that receive cybersecurity services from an organization. Clients are by default included in TLP:AMBER so that the recipients may share information further downstream in order for clients to take action to protect themselves. For teams with national responsibility this definition includes stakeholders and constituents.


a. TLP:RED = For the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting.


b. TLP:AMBER = Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT.


c. TLP:GREEN = Limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community.


d.  TLP:CLEAR  = Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.

I am a journalist or a media, I would like to get some information. Is it possible?


CRDF Labs does not communicate with journalists or the media. We will systematically refuse any request from an entity related to this environment.