Foundfax.com malware infected Firewalla Gold?
I am getting alerts from a cybersecurity service (Akamai) that shows a device on my network is infected with "Foundfax" malware (foundfax is trying to communicate with the internet). I disconnected all LAN ports on my Firewalla Gold from the network but I still get the alerts that foundfax malware is trying to communicate with the internet. I then disconnected firewalla gold completely from my network (no ethernet cables connected at all) and the issue went away....no foundfax alerts. I tried putting in a block rule within firewalla gold (FWG) but that did not work. BTW, it doesn't seem possible for the modem to be affected since leaving the modem connected to the internet but disconnecting FWG eliminates the foundfax alerts. Any thoughts?
-
What is the exact alert you see? is it something visiting [foundfax.com]? or a DNS lookup?
Firewalla's active protect periodically may query for the IP address of known bad actors and block them, and if akamai detects a DNS lookup and claim it is a problem ... it can be firewalla just doing its work. (this is the only thing I can think of). If you can share us the exact details, is it an IP address or a domain lookup.
-
Thanks for the response. The service I'm using is a DNS security service. So it is blocking the connection to foundfax.com ....I guess you would say via the DNS Lookup. Firewalla is NOT doing anything except sending the request to foundfax.com. Again...since nothing is connected to FWG, FWG must be initiating the request. Below is the error I get in an email. Below that is a screenshot of the error I see when logged into the service (not much more info). I checked with Akamai team as well as found info via google. It is malware and ETP (Akamai) is stopping it but how do I get to the source of the issue?
Enterprise Threat Protector detected 1 alerts for the xxxxxxx contract since 2022-03-23 18:00:38.779. Log in to Enterprise Threat Protector to view more detailed information.
Details Location Policy Category URI(s) Reason(s) DNS Count HTTP(s) Count Domain foundfax{.}com{.} Detection inline Action Taken Block - Error Page Confidence Known Internal Client IP Sub Location 
PaulV Paul Policy Malware
-Akamai Domain Intelligence 1 0 -
There is a known issue in the current release that the box may periodically request DNS on the domain in the blocked rules.
So if foundfax.com is already blocked in Firewalla rules, it may trigger DNS requests periodically.
If you want us to double confirm this, please send email to help@firewalla.com and share us remote support.
-
I deleted the rule (block foundfax.com) and it seems to have fixed the issue...but I will keep monitoring.
This sounds like a pretty major bug...if you put in a rule to block a site or IP address, firewalla actually tries to go to that site or IP address...apparently about 150 times/day. If you don't put in the rule, then you can not prevent users from going to that site/address. Are both these statements accurate?
-
This is not a bug.
Here is why; the block rule is in default mode, which means, it will block DNS, TLS and also IP traffic to that domain. And since IP to domain mapping(s) do change very often, this is why you see queries such, we can adjust the mapping to block at the IP layer.
DNS lookups as you see are NOT going to the site, they are simply asking for domain to IP mapping. There is zero traffic going to the foundfax[.]com site.
Please sign in to leave a comment.
Comments
7 comments