Alarm - iPhone accessing malware site
I got an alert that one of the iPhones on our network was accessing a Malware Site which prompts a couple of questions
1. If the iPhone was accessing a Malware Site why wasn't it blocked by Firewalla?
2. It said the Malware site was 104.21.44.13 (owned by Cloudflare). The iPhone has Private Relay on so not surprising it was accessing Cloudflare.
Was this a real alarm? My understanding is Private Relay should be going through a relay (which is likely to be Cloudflare). Is Firewalla reporting the relay as Malware for some reason? If Private Relay is working then I don't think Firewalla would know the real destination IP address?
-
If the firewalla action was an "alarm", likely the reputation of the site is bad enough for a block. What you can do is tap on the IP address, and you should be able to check with a few third-party intel provider for a secondary check.
See this on active protect https://help.firewalla.com/hc/en-us/articles/360049856394-How-to-Secure-Your-Network-with-Firewalla-Part-3-Protect#h_01GHCCPGKGN79ZGBSWA1Q1ZPG5
"Since Firewalla has to track millions and millions of sites, to make things easier, we attach a reputation score to each of the sites. This reputation score is not a binary good or bad rating, but rather a score between good and bad. Over time, a site's reputation may change due to many factors. If the site's reputation is not that bad but not that good, you may receive an alarm; if it is bad, it may result in a block and an alarm."
Please sign in to leave a comment.
Comments
3 comments