Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 3 answers
  • Subscribers 28 subscribers
  • Views 11929 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malware false positive from iOS devices

shred

I've noticed several of these entries in the logs as malware:

2018-05-08 08:12:02Malwaremessageid="08001" log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" fw_rule_id="5" user="" web_policy_id="12" policy_name="" virus="" url="eventtracking.hubapi.com/.../*[deleted]" domain="eventtracking.hubapi.com" src_ip="172.16.16.50" src_country="R1" dst_ip="104.17.202.204" dst_country="USA" protocol="TCP" src_port="52636" dst_port="80" bytes_sent="632" bytes_received="729" user_agent="Mozilla/5.0 (iPad; CPU OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E302" status_code="500"

It appears to be only coming from my iOS devices. I'm fairly confident it's not actually malware but I'm curious as to what is causing Sophos XG to flag it as malware. Anyone else seeing this or know what's causing it? I can't seem to isolate it to a certain app or website either.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Make sure the pattern are up2date. Alongside, did you do a virus check through VirusTotal? What is the scan result? If Sophos is detecting a false positive then, raise a reclassification request. Please refer to,

    https://community.sophos.com/kb/en-us/119440

    https://community.sophos.com/kb/en-us/35504

    Thanks, 

  • 0 in reply to sachingurung

    I ran eventtracking.hubapi.com through VirusTotal.com and 0/67 engines are detecting it as malware. I've submitted a support case reporting this as a false positive.

  • 0 in reply to shred

    Well, I submitted a support case per the KB article that was linked to above. Since I'm using Sophos XG Home, I was told support doesn't offer help and to utilize these community forums. I wasn't looking for help but just trying to provide some feedback to improve Sophos XG. I have no idea if anything was done with the support case.

  • 0 in reply to shred

    Hi Shred, 

    Please check the pattern update snapshot on your firewall.  System > Backup and Firmware  > Pattern update .

  • 0 in reply to shred

    Hi,

    We verified the lookup for the reported URL in our database and the results are clean. Can you please go to, Web > General Settings under Malware and Content Scanning section change the Anti Virus engine from Sophos to Avira and select the Scanning Mode as Real Time.

    Update the pattern manually from, Backup and Firmware > Update Pattern > Update Pattern Now. Let us know the end results.

    Thanks,

  • 0 in reply to Aditya Patel

    I don't mean to take over Shred's post, but since I am experiencing the same  thing I will reply as well:

     

    Here's the Sophos pattern update:

    Sophos AV
    1.0.12632
    -
    08:05:27, May 25 2018
    Success

     

    Looked in logs and Im still getting them, so here's one from this morning:

    messageid="08001"
    log_type="Anti-Virus"
    log_component="HTTP"
    log_subtype="Virus"
    status=""
    fw_rule_id="5"
    user=""
    web_policy_id="4"
    policy_name=""
    virus=""
    url="eventtracking.hubapi.com/.../blahblahblah--stuff deleted ---"
    domain="eventtracking.hubapi.com"
    src_ip="192.168.X.130"
    src_country="R1"
    dst_ip="104.17.200.204"
    dst_country="USA"
    protocol="TCP"
    src_port="50822"
    dst_port="80"
    bytes_sent="686"
    bytes_received="602"
    user_agent="Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
    status_code="500"

  • 0 in reply to sachingurung

    I’ve updated my settings per your instructions and will monitor for false positives. It’s been about ten days since the last time I received one so it may take a couple weeks. For my own curiosity, is there something wrong with the Sophos AV engine and/or the “Batch” scanning mode? I guess I’m just wondering how it’s reporting as malware if the database it’s pulling from says it’s a clean URL. Also, my patterns are up to date so I don’t think that has been the issue. I went ahead and manually update the patterns but the version and date did not change (current as of  today and they are set to automatically update).

Reply
  • 0 in reply to sachingurung

    I’ve updated my settings per your instructions and will monitor for false positives. It’s been about ten days since the last time I received one so it may take a couple weeks. For my own curiosity, is there something wrong with the Sophos AV engine and/or the “Batch” scanning mode? I guess I’m just wondering how it’s reporting as malware if the database it’s pulling from says it’s a clean URL. Also, my patterns are up to date so I don’t think that has been the issue. I went ahead and manually update the patterns but the version and date did not change (current as of  today and they are set to automatically update).

Children