To retrieve a list of all malicious hashes over the last 30 days, the query must specify that the source timestamp is greater than or equal to 30 days ago and not any time before that. Additionally, 'verdict' is more descriptive than 'reputation' for indicating a malicious status. Therefore, the correct query is 'type:File verdict:Malicious sourcetimestamp:>="30 days ago"'.