Malware Blocking

Comments

13 comments

  • Avatar
    Firewalla

    Depends on the alarm, some may say, firewalla blocked ...., some says accessing ... and give you the option to block.   And some are just silently blocked without any alarms. 

    In your case, if you see there is an option to block or "allow", then the alarm is a warning.  Meaning, the system is not sure if it should block it ... and gave you a choice.  (And this choice thing is entirely based on an algorithm that's pretty complex)

    https://help.firewalla.com/hc/en-us/articles/360007210473-Where-Firewalla-Can-Block-

     

    0
    Comment actions Permalink
  • Avatar
    Bbwebb

    Is there any option to automatically block suspected malware versus making the decision after the fact?  I would prefer to block, and then whitelist if necessary.   I don’t see an option to Block all Malware, just to block the site that raised the alarm. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    It is actually there, just we have not tuned it to block low-risk sites.   We are revising it with every release.  

    1
    Comment actions Permalink
  • Avatar
    Alessandro Miccono

    It's an old post but i wondering the same question. How can i check the default behavior? It's in functionality, active protection default/strict?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If you can tolerate a very small amount of false positives, you should go with active protect strict mode. 

    0
    Comment actions Permalink
  • Avatar
    Alessandro Miccono

    hello, i put it in strict mode but i keep getting the notification. I't kinda weird, option a) is not here where i can seth the strict that you mention or b) there is a bug in the beta version [app 1.52(40) box: 1.9742 (64a02461)]

     

    should i also enable something at the group level?

     

    0
    Comment actions Permalink
  • Avatar
    Alessandro Miccono

    This is an example of the alarm that I'm getting.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The strict mode just make the block more sensitive to "higher" reputation sites.  It is likely this site is alert only. 

    0
    Comment actions Permalink
  • Avatar
    Alessandro Miccono

    sorry to bother, but I trust you (ofc otherwise i would not spend money on your tools) and if you say that it's malicious for me is something that have to be blocked.

    I would expect that strict mode would block whatever is 'dangerous' also if it's a false positive. 

    Better safe than sorry on kids...

    In any case, unless you enrich the description, how i can understand if it's in high or low risk? And which are the trigger the low that does not trigger high?

    Is low just because it's in China? or in Ecuador? It's perfectly fine i have tools at work that mark risky equipment from huawei just because they from a china company but i know that i can safely ignore that alarm and snooze off.

    I'm sorry but this part it's a little bit confuse.

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Our system is "reputation" based, and that is explained here, https://help.firewalla.com/hc/en-us/articles/360049856394 Reputation is never clear cut, so our system will try its best to balance false positives (things shouldn't be blocked ... but did). 

    Since this alarm is an IP address, and IP addresses can map to multiple domains, I am guessing the probability of the IP being bad is low, hence you are getting an alarm. You can tap on the alarm and then you should be able to do secondary lookups.  (you should see domain, or IP, tap on that, and there is a security lookup feature)

    0
    Comment actions Permalink
  • Avatar
    WHAT TF

    SO i’ll chime in again. Have a Netgear R7800 that is calling out to “malware sites” after rebooting and/or updating. Guaranteed that router doesn’t have to reach out to anything and I cannot fathom why the ******* I cannot force block any of those actions BEFORE they happen. That should ABSOLUTELY be an option. I have 3 Firewalla Gold units and I vote x 3 that this should be a thing. Stick a disclaimer when enabling that the option may block legitimate requests, but it should be block and alert by default, then I can decide if I want to allow it after the fact. Secure by default / implicit deny sounds like a great idea here.

     

     

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    The "reputation" part is never 0 or 1 (true or false). This is why we have strict mode to tune up things a bit. If you want to trigger on all risks, then it may be disturb your network. Now, we may create an ultra strict mode, the only problem with that is, the ultra-strict still won't be 100% blocking of any minor risk. 

    0
    Comment actions Permalink
  • Avatar
    fab

    Good idea to create a ultra strict mode. 100% blocking and carrying false positives is customers’ accountability. Please create it and we (the customers) will discriminate.

    0
    Comment actions Permalink

Please sign in to leave a comment.