emanuele-f
commented
1 month ago Which was the domain in your case?
Open kevin0t opened 1 month ago
emanuele-f
commented
1 month ago Which was the domain in your case?
kevin0t
commented
1 month ago
The domain/ip in my case is 45.128.232.77 which the robosats app was connecting to
link to robosats github is https://github.com/RoboSats/robosats/
The app primarily connects through tor and has its own tor daemon running.
should i whitelist this connection ?
emanuele-f
commented
1 month ago This is a common problem when an IP address is reused (e.g. Tor, or even a VPS), such false positives are expected. You should use the whitelist for such situations, after investigation
While using some of the apps i saw that malware detection service has detected some connections as malware and blocked it. These apps were mostly crypto related which i had downloaded through official sources and believe are much reputable. Therefore the chances of these connections being actually malicious is low and probably a false positive. But it would be better if the UI mentions the source database according to which it was flagged.
I know it is not too difficult to manually do a reverse-lookup all the current 5 databases and find which database flagged it but it would have been lot easier if pcapdroid tells it right in the UI itself, so that user can double verify themselves if the ip is false positive and if to rely on that source.
Also a note in the connection page where malware ip/domain is detected "Connection is flagged and blocked according to "xyz" source , users are advised to do their research and determine if the connection is really malicious or not"
maybe put a link to a section in docs explaining possible safeguards in such situation. This note could be important as when a user sees such notification with the 💀 symbol , they might be confused and not really understand the risks of it ,why it happened and what can they can do about it.