Malware Protection

Most people think malware protection works like a smoke detector — the threat has to be inside the house before anything happens. That’s exactly the problem.

Traditional antivirus operates on a detection model: you visit a site, something downloads, the antivirus scans it, catches it (hopefully), removes it. The malware already touched your system. The sequence matters more than most people realize, because between the download and the detection, a lot can happen — credentials captured, files encrypted, data exfiltrated to a server in a country where nobody’s going to do anything about it.

DNS-level protection runs a completely different sequence.

How DNS Protection Works

Traditional antivirus:

1. Visit malicious site
2. Download malware
3. Antivirus detects → Blocks/Removes

DNS-level protection:

1. Try to visit malicious site
2. DNS checks domain → Known threat
3. Connection blocked before anything downloads

The domain never resolves. The connection never opens. Nothing reaches your device. It’s the difference between a bouncer checking the list at the door versus security tackling someone inside the building.

What Gets Blocked

Malware distribution sites: domains known to serve viruses, trojans, ransomware, keyloggers, and browser hijackers.

Phishing sites: fake login pages built to look exactly like your bank, Gmail, Amazon, PayPal, or any cryptocurrency exchange you might use. These live and die in hours — new ones spin up constantly, which is why real-time threat feed updates matter.

Command and control servers: the infrastructure malware phones home to. An infected device that can’t reach its C&C server is significantly less dangerous — it can’t receive instructions, exfiltrate data, or download additional payloads.

Typosquatting domains: gooogle.com, amaz0n.com, facebo0k.com — domains registered to catch people who mistype. Stoix maintains lists of known typosquatting patterns for high-traffic targets.

Real-World Scenarios

Phishing email: You get an email that your Amazon account has been suspended, click the link, and land on amazn-secure-login.com. DNS check happens before the page loads. Connection blocked. You see a warning page instead of a convincing fake login form.

Compromised website: A legitimate site you visit regularly gets hacked and starts redirecting visitors to a malware domain. The redirect request hits DNS. The malware domain is on the blocklist. Redirect fails. You never know anything happened.

Malicious ad: A news site you trust serves an ad from a compromised ad network. The ad domain tries to load. Stoix blocks the domain. The ad never renders. The malicious script inside it never runs.

Threat Intelligence Sources

The blocklists are only as good as what feeds them. Stoix pulls from multiple threat intelligence sources including URLhaus for malware distribution sites, PhishTank and OpenPhish for real-time phishing feeds, Spamhaus for malicious domain infrastructure, and Google Safe Browsing’s broader threat database. Lists update every few hours automatically.

Protection Levels

Core Protection (Always Active)

Malware distribution sites, phishing sites, command and control servers, known ransomware domains, and cryptojacking sites — these are blocked for every user regardless of other settings.

Enhanced Protection (Optional)

Configurable in Content Policies under Security Settings:

• Block newly registered domains (less than 30 days old) — most phishing campaigns use freshly registered domains to avoid blocklists
• Block suspicious TLDs (.tk, .ml, .ga, and others that have historically hosted disproportionate amounts of malicious content)
• Block dynamic DNS providers frequently used for attack infrastructure

Higher false positive rate, but the threat surface narrows considerably.

What DNS Protection Cannot Do

This matters as much as what it can do.

DNS filtering blocks access to known malicious domains. It cannot detect zero-day malware that hasn’t been catalogued yet. It cannot scan file contents — a malicious file sent through email or copied from a USB drive bypasses DNS entirely. It cannot remove malware that’s already on your device. And because new phishing sites spin up constantly, some will slip through for the hours between appearance and blocklist inclusion.

The complete security stack looks like this:

1. Stoix DNS filtering — blocks known malicious domains before connection
2. Antivirus software — scans file contents, detects unknown threats, removes existing malware
3. System and browser updates — patches the vulnerabilities malware exploits to run
4. Safe browsing habits — verify URLs, don’t open unexpected attachments, use a password manager

DNS filtering is the first line. It handles the high-volume, known-threat categories automatically and stops most malware before it has a chance to run. The other layers catch what slips through.

Recognizing Threats

Phishing Warning Signs

Urgency is the primary mechanism — “your account will be suspended in 24 hours,” “unusual activity detected, verify immediately.” It’s designed to bypass skepticism by activating panic.

Other signals: misspelled domains (amaz0n.com, g00gle.com), sender email addresses that don’t match the organization they claim to be from, requests for passwords or personal information that legitimate services don’t ask for over email, and offers that don’t make sense.

Before clicking any link in an email, hover over it first. The actual destination URL appears in the browser’s status bar. If it doesn’t match the claimed sender’s domain, don’t click it.

Malicious Download Warning Signs

Unexpected download prompts on sites that have no reason to serve software. “Your Flash Player is out of date” (Flash has been dead since 2020 — nothing legitimate is still using it). Software bundlers that install additional programs alongside the thing you wanted. Anything from a piracy site. Email attachments with .exe, .scr, .js, or .vbs extensions from senders you don’t recognize.

Download software from official sources. When in doubt, go directly to the developer’s website rather than through a search result.

If Malware Gets Through

1. Disconnect from the internet immediately — stops data exfiltration, prevents ransomware from spreading to other devices on the network
2. Run a full antivirus scan — use an offline rescue disk if ransomware has disabled the local antivirus
3. Change passwords from a different clean device — anything the infected machine touched should be considered compromised
4. Check financial accounts for unauthorized transactions
5. Restore from backup if files were encrypted

For ransomware specifically: don’t pay. Payment doesn’t guarantee recovery, it funds further attacks, and it marks you as someone willing to pay — which tends to generate follow-up attempts. Check NoMoreRansom.org first — free decryptors exist for a significant number of known ransomware strains.

Monitoring Your Protection

The Analytics dashboard shows blocked domains in real time. Indicators worth paying attention to: domains with suspicious TLDs, gibberish domain names consistent with algorithmically generated malware infrastructure, and any domains flagged across threat feeds.

If a legitimate site is blocked, add it to your Allowlist and report the false positive to [email protected]. If a malicious site isn’t getting blocked, report it to [email protected] with the domain and a description — it’ll get investigated and added to the blocklist.

Learn More

• Tracking Protection
• DNS vs VPN
• Setup Guide

Questions? Contact us