Jun 14 2022 01:45 AM
Jun 14 2022 01:45 AM
In our SOC, we've been seeing alerts on MDE for Mozilla Firefox with a combination of "Network traffic proxy redirector detected" and "Connection to a custom network indicator" to domains such as "https[:]//s.skimresources.com" for a particular customer. (Please see the screenshot of the alert below)
We recommended them to:
Check for any suspicious add-ons/extensions on the Firefox browser, and also to reset Firefox.
However, we still do see these alerts and now we do not really know what to advise/to look for further than this.
Furthermore, we observed that these Network Proxy alerts are always in conjunction with a connection to a custom network indicator being blocked.
Question: Would anyone of you maybe know if this is a false positive by MDATP? Or if not, how else to prevent/avoid these alerts? (apart from creating a suppression rule)
Jun 14 2022 05:05 AM
Jun 14 2022 10:31 AM
I am having the same issue and I have tried to look into the root cause that have triggered the alert but couldn't find it
Here firefox.exe is used as a internal proxy by sending and receiving x amount of bytes and in custom network indicator it is mentioned like blocked firefox from accessing the below website
Jun 16 2022 05:31 AM
Jun 16 2022 05:41 AM
Do you also see?
Jun 16 2022 09:18 AM
We are seeing the same issues on our side. Firefox.exe is what is pulling up for us. @Sashaank
Jun 17 2022 01:51 AM
We are also seeing this behaviour on 5 of our +/- 1.5k devices.
Just connections firefox.exe and several ports:
TCP 127.0.0.1:54407 127.0.0.1:54406 ESTABLISHED 14400
TCP 127.0.0.1:54420 127.0.0.1:54421 ESTABLISHED 7652
TCP 127.0.0.1:54421 127.0.0.1:54420 ESTABLISHED 7652
TCP 127.0.0.1:54432 127.0.0.1:54433 ESTABLISHED 14628
TCP 127.0.0.1:54433 127.0.0.1:54432 ESTABLISHED 14628
TCP 127.0.0.1:54561 127.0.0.1:54562 ESTABLISHED 19452
TCP 127.0.0.1:54562 127.0.0.1:54561 ESTABLISHED 19452
TCP 127.0.0.1:54571 127.0.0.1:54572 ESTABLISHED 10864
TCP 127.0.0.1:54572 127.0.0.1:54571 ESTABLISHED 10864
TCP 127.0.0.1:54582 127.0.0.1:54583 ESTABLISHED 17636
TCP 127.0.0.1:54583 127.0.0.1:54582 ESTABLISHED 17636
Haven't figured out what's going on.
Normal behaviour from firefox.exe that's suddenly reporting as redirector proxy?
Or malicious activity?
Thanks for some response .
Jun 17 2022 09:47 AM
@JG-Burke I am also not sure about that, searching for a solution regarding this alert
Jun 20 2022 12:36 PM
Jun 21 2022 04:48 AM
Jun 22 2022 06:08 AM
Sep 19 2022 07:36 PM
I noticed that I am getting this alert when a user is using firefox browser to try and access a url that is being blocked by the EDR in the first place. For example, a malicious ad domain is being blocked by the EDR and I get a regular alert about a blocked malicious domain if the user uses any other browser that isn't firefox. When the same url and it is supposed to be blocked in the EDR and the browser used ais firefox, there seems to be this proxy alert being triggered.
Seems like a bug?
Sep 26 2022 09:44 AM - edited Sep 26 2022 09:46 AM
I have a feeling that the alert is related to Microsoft Defender itself. When we get this alert we see the user is blocked by the smart screen. Seems like Defender is doing some kind of proxy to observe the connections and generate this alert. I feel it is a bug that we tried to communicate with MS but still not much luck.