Malware Blocking
How do I know if my Firewalla Gold is actually blocking access to Malware or other unsafe sites? I just received two alarms that say “Device #### is accessing malware site ####.com.” There is no indication that Firewalla actually blocked the device from going to the site though.
Any help would be appreciated!
Bill
-
Depends on the alarm, some may say, firewalla blocked ...., some says accessing ... and give you the option to block. And some are just silently blocked without any alarms.
In your case, if you see there is an option to block or "allow", then the alarm is a warning. Meaning, the system is not sure if it should block it ... and gave you a choice. (And this choice thing is entirely based on an algorithm that's pretty complex)
https://help.firewalla.com/hc/en-us/articles/360007210473-Where-Firewalla-Can-Block-
-
sorry to bother, but I trust you (ofc otherwise i would not spend money on your tools) and if you say that it's malicious for me is something that have to be blocked.
I would expect that strict mode would block whatever is 'dangerous' also if it's a false positive.
Better safe than sorry on kids...
In any case, unless you enrich the description, how i can understand if it's in high or low risk? And which are the trigger the low that does not trigger high?
Is low just because it's in China? or in Ecuador? It's perfectly fine i have tools at work that mark risky equipment from huawei just because they from a china company but i know that i can safely ignore that alarm and snooze off.
I'm sorry but this part it's a little bit confuse.
-
Our system is "reputation" based, and that is explained here, https://help.firewalla.com/hc/en-us/articles/360049856394 Reputation is never clear cut, so our system will try its best to balance false positives (things shouldn't be blocked ... but did).
Since this alarm is an IP address, and IP addresses can map to multiple domains, I am guessing the probability of the IP being bad is low, hence you are getting an alarm. You can tap on the alarm and then you should be able to do secondary lookups. (you should see domain, or IP, tap on that, and there is a security lookup feature)
-
SO i’ll chime in again. Have a Netgear R7800 that is calling out to “malware sites” after rebooting and/or updating. Guaranteed that router doesn’t have to reach out to anything and I cannot fathom why the ******* I cannot force block any of those actions BEFORE they happen. That should ABSOLUTELY be an option. I have 3 Firewalla Gold units and I vote x 3 that this should be a thing. Stick a disclaimer when enabling that the option may block legitimate requests, but it should be block and alert by default, then I can decide if I want to allow it after the fact. Secure by default / implicit deny sounds like a great idea here.
-
The "reputation" part is never 0 or 1 (true or false). This is why we have strict mode to tune up things a bit. If you want to trigger on all risks, then it may be disturb your network. Now, we may create an ultra strict mode, the only problem with that is, the ultra-strict still won't be 100% blocking of any minor risk.
Please sign in to leave a comment.
Comments
13 comments