Malware false positive from iOS devices

Hi,

Make sure the pattern are up2date. Alongside, did you do a virus check through VirusTotal? What is the scan result? If Sophos is detecting a false positive then, raise a reclassification request. Please refer to,

https://community.sophos.com/kb/en-us/119440

https://community.sophos.com/kb/en-us/35504

Thanks, 

We get them as well (at least 100 or so a day) I have not had the time to track it down either.

-Scott

I ran eventtracking.hubapi.com through VirusTotal.com and 0/67 engines are detecting it as malware. I've submitted a support case reporting this as a false positive.

Well, I submitted a support case per the KB article that was linked to above. Since I'm using Sophos XG Home, I was told support doesn't offer help and to utilize these community forums. I wasn't looking for help but just trying to provide some feedback to improve Sophos XG. I have no idea if anything was done with the support case.

Hi Shred, 

Please check the pattern update snapshot on your firewall.  System > Backup and Firmware  > Pattern update .

Hi,

We verified the lookup for the reported URL in our database and the results are clean. Can you please go to, Web > General Settings under Malware and Content Scanning section change the Anti Virus engine from Sophos to Avira and select the Scanning Mode as Real Time.

Update the pattern manually from, Backup and Firmware > Update Pattern > Update Pattern Now. Let us know the end results.

Thanks,

I don't mean to take over Shred's post, but since I am experiencing the same  thing I will reply as well:

Here's the Sophos pattern update:

Looked in logs and Im still getting them, so here's one from this morning:

messageid="08001"
log_type="Anti-Virus"
log_component="HTTP"
log_subtype="Virus"
status=""
fw_rule_id="5"
user=""
web_policy_id="4"
policy_name=""
virus=""
url="eventtracking.hubapi.com/.../blahblahblah--stuff deleted ---"
domain="eventtracking.hubapi.com"
src_ip="192.168.X.130"
src_country="R1"
dst_ip="104.17.200.204"
dst_country="USA"
protocol="TCP"
src_port="50822"
dst_port="80"
bytes_sent="686"
bytes_received="602"
user_agent="Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
status_code="500"

I’ve updated my settings per your instructions and will monitor for false positives. It’s been about ten days since the last time I received one so it may take a couple weeks. For my own curiosity, is there something wrong with the Sophos AV engine and/or the “Batch” scanning mode? I guess I’m just wondering how it’s reporting as malware if the database it’s pulling from says it’s a clean URL. Also, my patterns are up to date so I don’t think that has been the issue. I went ahead and manually update the patterns but the version and date did not change (current as of  today and they are set to automatically update).

Hi,

Changing the AV Engine will let us know if we need to update something on the Sophos database and Scanning mode is how the Engine will scan the content for Malware. You can find more information here, Sophos XG Firewall: What is Batch Mode and Real Mode in Malware Scanning?.

Thanks,

I've not had any issue with the previous malware messages now that I switched to the Avira engine.  I've not tried switching back to Sophos yet.

-Scott