@mtiede 

Nothing in those logs indicates anything from a Roku per se, just something using a potentially fake browser user agent.

Newer versions of RokuOS do include the Roku Browser which is based on Chromium, but again its not clear this is responsible for those messages.

There is a reference to Nokia.com and downloaded release notes, and a doc at emergingthreats.net

Do you have a Nokia device? Perhaps check that device for attempted connections.

Otherwise, I highly suggest you (at least temporarily) disable any such "Threat Protection" functionality in your modem/router/gateway, and try connecting the Roku again.

Sorry I didn't include it, but the event definitely came from the Roku and, I'm pretty sure was the reason the Roku said it couldn't find the internet.  The event said Source IP was RokuStreamingStick-480.

Why would the roku try to access "download.releasenotes.nokia.com"?  Just to have something to see if it could connect to the internet?

I did have Windows Phones (GREAT phones) that were related to Nokia because Microsoft bought their phone business, but that was years ago.  Might have even been before I got the Roku devices.  So I'm reasonably certain it is unrelated to my previous phones.

I think the emergingthreats.net is just where the potential threat was documented.

The IP address associated with download.releasenotes.nokia.com comes back to an Akamai address located in San Jose, so there's a good chance it's Roku.  It's probably an old domain still in a database somewhere.  I doubt it's a threat.

@mtiede 

The DNS resolution may be old/never updated/stale.

Yes, Windows Phones WERE (are?) great, but MS decided to bail on them, as it has many/most different hardware/software products over the years.

And yes, emergingthreats.net is the source your router/gateway is using to establish the supposed "threat", and again it may be false/old/stale/etc.

Again, I suggest you temporarily disable the "Threat Protection" (or use a lower setting) and see if your Rokus connect.

Last night I got a new "trojan" warning.  The "Threat Prevention" did NOT have a signature, but said "unknown" instead which is different than before.  It showed a payload:

00000000 47 45 54 20 2f 6f 6b 20 48 54 54 50 2f 31 2e 31 GET./ok.HTTP/1.1
00000010 0d 0a 48 6f 73 74 3a 20 63 61 70 74 69 76 65 2e ..Host:.captive.
00000020 72 6f 6b 75 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 roku.com..User-A
00000030 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e gent:.Mozilla/5.
00000040 30 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0..Accept:.*/*..
00000050 0d 0a ..

The source was a Roku and the target was 18.154.110.100 which is

"Amazon Technologies Inc. (AT-88-Z)"

Does that sound like anything familiar?  What might cause this?

Amazon, Amazon web services, Cloudfront etc.  These are all familiar to me.  I believe Roku themselves use a lot of Amazon servers, and they recommend Amazon as one of several major content delivery systems for app writers.