Malware false positive from iOS devices

Question

I've noticed several of these entries in the logs as malware: 
 2018-05-08 08:12:02Malwaremessageid="08001" log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" fw_rule_id="5" user="" web_policy_id="12" policy_name="" virus="" url="eventtracking.hubapi.com/.../*[deleted]" domain="eventtracking.hubapi.com" src_ip="172.16.16.50" src_country="R1" dst_ip="104.17.202.204" dst_country="USA" protocol="TCP" src_port="52636" dst_port="80" bytes_sent="632" bytes_received="729" user_agent="Mozilla/5.0 (iPad; CPU OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E302" status_code="500" 
 It appears to be only coming from my iOS devices. I'm fairly confident it's not actually malware but I'm curious as to what is causing Sophos XG to flag it as malware. Anyone else seeing this or know what's causing it? I can't seem to isolate it to a certain app or website either.

sachingurung · Answer

Hi, 
 Make sure the pattern are up2date. Alongside, did you do a virus check through VirusTotal? What is the scan result? If Sophos is detecting a false positive then, raise a reclassification request. Please refer to, 
 https://community.sophos.com/kb/en-us/119440 
 https://community.sophos.com/kb/en-us/35504 
 Thanks,

Aditya Patel · Answer

Hi Shred, 
 Please check the pattern update snapshot on your firewall. System > Backup and Firmware > Pattern update .

sachingurung · Answer

Hi, 
 We verified the lookup for the reported URL in our database and the results are clean. Can you please go to, Web > General Settings under Malware and Content Scanning section change the Anti Virus engine from Sophos to Avira and select the Scanning Mode as Real Time. 
 Update the pattern manually from, Backup and Firmware > Update Pattern > Update Pattern Now . Let us know the end results. 
 Thanks,