10-21-2018 12:39 PM - edited 10-21-2018 02:25 PM
Got the same, 40+ warnings. The warnings occur within 2 to 5minutes separation. The source is a HiFI (Marantz NR1606) system.
IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE User-Agent (Mozilla/4.0 (compatible)). From: 192.168.1.13:4883, to: 220.127.116.11:80, protocol: TCP
whois lookup for: 18.104.22.168
ISP Fastly Usage Type Content Delivery Network Hostname profile-images.scdn.co Domain Name fastly.com Country City San Francisco, California
11-30-2018 06:25 AM
I recently started noticing these alerts. I captured packets to the destination and learned that the TCP port 80 session was related to checking the certificate revocation list (CRL) status for an SSL cert.
The destination IP was in the US at 22.214.171.124; no PTR record for that IP address, but it is in an address block owned by Verizon. The packet capture revealed the hostname: ocsp.digicert.com
Clearly a false positive, but I am not a fan of disabling or suppressing signatures just because they generate false positives. Any chance of tweaking the signature? Do we as users have this ability?
12-05-2018 08:59 AM
I recently turned on IPS, and am getting these errors. I can confirm that the IP address is my iPhone and I have WeChat on it as we have a child studing in China. Interestingly, only my IP address shows, where as my wife who chats with our child every day does not. I am guessing that it is something that we have to live with untiil he returns.
12-19-2018 01:12 PM
I don't think it's the WeChat. I had WeChat on all the time, and never got this problem. It's actually another app developed from same company, called QQ. Every time I launch that on my phone, I got this alert.
01-04-2019 10:49 AM
I have a Marantz amplifier which has internet radio. Whenever I tried to use this in-built app I received a similar message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE User-Agent (Mozilla/4.0 (compatible)). From: 192.168.1.115:2583, to: 126.96.36.199:80, protocol: TCP
It seems that the reason why this happened is that I have IPS (Intrusion Prevention System) turned on: Settings - IPS.
To solve a problem like this you can either switch to IDS (Intrusion Detection System) which will make your network less protected or - and this is what I did - you can whitelist the IP that is causing the alert. For some of you this might not work, but I saw some comments which show similar problems than mine and in those cases this is definitely a solution.
I added the IP for both directions to whitelisting and after provisioning the internet radio started to work.
Hope this helps some of you!
01-13-2019 03:17 PM
I see the exact same message. I wonder how one would get the attention of developers at LG to clue them in on the misspelling of the call.
In the meantime, whitelisting seems to be the only thing to do.
3 weeks ago
I am getting these constantly via my wifes WeChat application.
The IP addresses are 188.8.131.52-80, 184.108.40.206, and 220.127.116.11
IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 192.168.1.21:61975, to: 18.104.22.168:80, protocol: TCP
IP Lookup place all as Tencent which is the parent company. My concern is whether this valid, or relaying through Tencent to a malicious third party. Malware out of China is pretty rampant especially via mobile apps.
Is this safe and can I whitelist or are there issues with this traffic.
I am seeing a dozen events daily.