Malware Blocking

Bbwebb

December 11, 2020 12:14

How do I know if my Firewalla Gold is actually blocking access to Malware or other unsafe sites? I just received two alarms that say “Device #### is accessing malware site ####.com.” There is no indication that Firewalla actually blocked the device from going to the site though.

Any help would be appreciated!

Bill

Comments

10 comments

Firewalla

December 11, 2020 17:28
Depends on the alarm, some may say, firewalla blocked ...., some says accessing ... and give you the option to block. And some are just silently blocked without any alarms.

In your case, if you see there is an option to block or "allow", then the alarm is a warning. Meaning, the system is not sure if it should block it ... and gave you a choice. (And this choice thing is entirely based on an algorithm that's pretty complex)

https://help.firewalla.com/hc/en-us/articles/360007210473-Where-Firewalla-Can-Block-
0

Comment actions Permalink
Bbwebb

December 12, 2020 13:50
Is there any option to automatically block suspected malware versus making the decision after the fact? I would prefer to block, and then whitelist if necessary. I don’t see an option to Block all Malware, just to block the site that raised the alarm.
0

Comment actions Permalink
Firewalla

December 12, 2020 17:45
It is actually there, just we have not tuned it to block low-risk sites. We are revising it with every release.
1

Comment actions Permalink
Alessandro Miccono

November 09, 2022 16:53
It's an old post but i wondering the same question. How can i check the default behavior? It's in functionality, active protection default/strict?
0

Comment actions Permalink
Firewalla

November 09, 2022 17:22
If you can tolerate a very small amount of false positives, you should go with active protect strict mode.
0

Comment actions Permalink
Alessandro Miccono

November 10, 2022 14:56
hello, i put it in strict mode but i keep getting the notification. I't kinda weird, option a) is not here where i can seth the strict that you mention or b) there is a bug in the beta version [app 1.52(40) box: 1.9742 (64a02461)]

should i also enable something at the group level?
0

Comment actions Permalink
Alessandro Miccono

November 10, 2022 15:11
This is an example of the alarm that I'm getting.
0

Comment actions Permalink
Firewalla

November 10, 2022 19:04
The strict mode just make the block more sensitive to "higher" reputation sites. It is likely this site is alert only.
0

Comment actions Permalink
Alessandro Miccono

November 11, 2022 08:29
sorry to bother, but I trust you (ofc otherwise i would not spend money on your tools) and if you say that it's malicious for me is something that have to be blocked.

I would expect that strict mode would block whatever is 'dangerous' also if it's a false positive.

Better safe than sorry on kids...

In any case, unless you enrich the description, how i can understand if it's in high or low risk? And which are the trigger the low that does not trigger high?

Is low just because it's in China? or in Ecuador? It's perfectly fine i have tools at work that mark risky equipment from huawei just because they from a china company but i know that i can safely ignore that alarm and snooze off.

I'm sorry but this part it's a little bit confuse.
0

Comment actions Permalink
Firewalla

November 11, 2022 17:17
Our system is "reputation" based, and that is explained here, https://help.firewalla.com/hc/en-us/articles/360049856394 Reputation is never clear cut, so our system will try its best to balance false positives (things shouldn't be blocked ... but did).

Since this alarm is an IP address, and IP addresses can map to multiple domains, I am guessing the probability of the IP being bad is low, hence you are getting an alarm. You can tap on the alarm and then you should be able to do secondary lookups. (you should see domain, or IP, tap on that, and there is a security lookup feature)
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?