Here’s another example. In the Apple App Store the “virus” is the Yelp app. Is this a false positive. Any advice or information is appreciated.


The following event occurred on the Untangle Server @ 2019-07-19 20:37:11.015

HTTP virus blocked:
Virus Blocker Lite found virus [Ios.Trojan.FakeTelegram-6736161-0(4bc5ddc5fb21f68029478e08b5de124f:104857600)] {url prefix http removed since I don't have 5 posts yet}://iosapps.itunes.apple.com/itunes-assets/Purple123/v4/9e/cc/1b/9ecc1b47-d878-47d3-6f5d-36fab3bcf7f0/pre-thinned6074452400923972366.thinned.signed.dpkg.ipa?accessKey=1563781029_5662997473619334732_OYJ7gqHIJd2uR10T1TlDImj%2BDhPvoS1DgcX%2FuIb1dsJfUNQVgl5SEIyA8t5SAxydopdUPszCOYmUy7FwAFyX1vlgk1pBqpT6GfpobV8yE823HF3fqiR95QEq%2FiJm9KIWQsC2b9rvpjHMQ11Dnb%2FuKuh44%2Fn6zk%2BnT6Xzcn3IJIPUqQWuG6bknPJQpO6T5y8dz93y6Iat1Jnc9SEyK3B1Sw%3D%3D

Causal Event: VirusHttpEvent
{
"timeStamp": "2019-07-19 20:37:11.015",
"virusName": "Ios.Trojan.FakeTelegram-6736161-0(4bc5ddc5fb21f68029478e08b5de124f:104857600)",
"appName": "virus_blocker_lite",
"requestLine": "GET {url prefix http removed since I don't have 5 posts yet}://iosapps.itunes.apple.com/itunes-assets/Purple123/v4/9e/cc/1b/9ecc1b47-d878-47d3-6f5d-36fab3bcf7f0/pre-thinned6074452400923972366.thinned.signed.dpkg.ipa?accessKey=1563781029_5662997473619334732_OYJ7gqHIJd2uR10T1TlDImj%2BDhPvoS1DgcX%2FuIb1dsJfUNQVgl5SEIyA8t5SAxydopdUPszCOYmUy7FwAFyX1vlgk1pBqpT6GfpobV8yE823HF3fqiR95QEq%2FiJm9KIWQsC2b9rvpjHMQ11Dnb%2FuKuh44%2Fn6zk%2BnT6Xzcn3IJIPUqQWuG6bknPJQpO6T5y8dz93y6Iat1Jnc9SEyK3B1Sw%3D%3D",
"clean": false,
"sessionEvent": {
"entitled": true,
"hostname": "Removed",
"CServerPort": 80,
"protocol": 6,
"protocolName": "TCP",
"serverLatitude": 32.7787,
"localAddr": "/removed",
"SServerAddr": "/17.253.3.203",
"remoteAddr": "/17.253.3.203",
"serverIntf": 201,
"CClientAddr": "/removed",
"serverCountry": "US",
"sessionId": 102356021709589,
"SClientAddr": "/10.125.0.122",
"clientCountry": "XL",
"CClientPort": 51720,
"policyRuleId": 0,
"timeStamp": "2019-07-19 20:37:10.988",
"serverLongitude": -96.8217,
"clientIntf": 2,
"policyId": 1,
"SClientPort": 49916,
"bypassed": false,
"SServerPort": 80,
"CServerAddr": "/17.253.3.203",
"tagsString": ""
}
}

This is an automated message sent because the event matched the configured Event Rules.

Hi, and welcome to the forums.

The open source detection engine behind Virus Blocker Lite has been known to provide some false positives. Obviously it's not an apples to apples comparison—or, rather, apps to apps—but I'm not seeing virus detections under Virus Blocker when updating Apple devices.

So I can't assure you that you're seeing false positives, but that could be the case.

Thanks Sam for the reply. It does seem to happen randomly and not all that often, so I’ll leave everything as is for now and continue to monitor.

That seems reasonable.

I'm wondering if you could use Web Monitor (if you're trying to stick with the free product) as a parallel, separate check. I know some Untangle users rely solely on Web Filter for perimeter virus protection. Web Monitor, as I understand it, lacks the protection features of Web Filter but will log violations, just as Web Filter would.