Jump to content

MBAM Pro blocks Private Internet Access (PIA) VPN Rubyw.exe


Recommended Posts

Greetings everyone,

First off let me say I am proud to be a long term user of MBAM Pro and I highly endorse, to all my colleagues, the fantastic product that the team at Malwarebytes offers to protect my PC. Secondly, apologies if this is not the correct place to post this, as this is the first time I have had to post an issue. With that out of the way, time to get down to the issue at hand:

 

I recently purchased an annual license for Private Internet Access (PIA), a VPN service to resolve my ISPs monkey business with YouTube, twitch, and the internet in general. So far everything is fine and I have noticed a MASSIVE boost in network consistency and bandwidth with a minor sacrifice in ping times. However, I also noticed MBAM Pro consistently attempts to IP-Block "Rubyw.exe" which is the runtime environment PIA uses for connectivity and management purposes. While it hasn't hindered VPN performance as far as I know (and tends to happen whenever I turn it off), it is quite annoying. Whitelisting the process does not resolve the issue either since they are all randomized and dynamically connect to random ports.

 

Why overall question: is there a solution to this or am I stuck with the excessive IP-Blocks?

Below I have enclosed my log, though it continually updates over time.

Link to post
Share on other sites

Here is the protection log for today, for whatever reason the log would not upload as a file:

2014/03/11 01:03:00 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 64633, Process: rubyw.exe)
2014/03/11 01:04:05 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 64731, Process: rubyw.exe)
2014/03/11 01:05:01 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 64751, Process: rubyw.exe)
2014/03/11 01:06:06 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 64774, Process: rubyw.exe)
2014/03/11 01:07:02 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 64827, Process: rubyw.exe)
2014/03/11 01:08:06 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 64888, Process: rubyw.exe)
2014/03/11 01:09:03 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 64913, Process: rubyw.exe)
2014/03/11 01:10:07 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 64935, Process: rubyw.exe)
2014/03/11 01:11:04 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 64999, Process: rubyw.exe)
2014/03/11 01:12:08 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 65056, Process: rubyw.exe)
2014/03/11 01:13:04 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 65130, Process: rubyw.exe)
2014/03/11 01:14:09 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.82.54 (Type: outgoing, Port: 65182, Process: rubyw.exe)
2014/03/11 01:15:05 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 65243, Process: rubyw.exe)
2014/03/11 01:17:06 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 65287, Process: rubyw.exe)
2014/03/11 01:18:11 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 65344, Process: rubyw.exe)
2014/03/11 01:19:07 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 65447, Process: rubyw.exe)
2014/03/11 01:20:11 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 65466, Process: rubyw.exe)
2014/03/11 01:21:08 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 65486, Process: rubyw.exe)
2014/03/11 01:22:12 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 65508, Process: rubyw.exe)
2014/03/11 01:23:08 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 49194, Process: rubyw.exe)
2014/03/11 01:24:05 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.84.124 (Type: outgoing, Port: 49251, Process: rubyw.exe)
2014/03/11 01:25:09 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49310, Process: rubyw.exe)
2014/03/11 01:26:06 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49357, Process: rubyw.exe)
2014/03/11 01:27:10 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49414, Process: rubyw.exe)
2014/03/11 01:28:15 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49509, Process: rubyw.exe)
2014/03/11 01:29:11 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49593, Process: rubyw.exe)
2014/03/11 01:30:16 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49692, Process: rubyw.exe)
2014/03/11 01:31:12 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49770, Process: rubyw.exe)
2014/03/11 01:32:16 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49887, Process: rubyw.exe)
2014/03/11 01:33:13 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 49969, Process: rubyw.exe)
2014/03/11 01:34:17 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50020, Process: rubyw.exe)
2014/03/11 01:35:14 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50045, Process: rubyw.exe)
2014/03/11 01:36:18 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50101, Process: rubyw.exe)
2014/03/11 01:37:15 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50120, Process: rubyw.exe)
2014/03/11 01:38:19 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50205, Process: rubyw.exe)
2014/03/11 01:39:16 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50281, Process: rubyw.exe)
2014/03/11 01:40:20 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50337, Process: rubyw.exe)
2014/03/11 01:41:16 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50356, Process: rubyw.exe)
2014/03/11 01:42:21 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50395, Process: rubyw.exe)
2014/03/11 01:43:17 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50420, Process: rubyw.exe)
2014/03/11 01:44:22 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.83.16 (Type: outgoing, Port: 50498, Process: rubyw.exe)
2014/03/11 01:45:18 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 50552, Process: rubyw.exe)
2014/03/11 01:46:22 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 50652, Process: rubyw.exe)
2014/03/11 01:47:19 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 50689, Process: rubyw.exe)
2014/03/11 01:48:23 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 50737, Process: rubyw.exe)
2014/03/11 01:49:28 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 50807, Process: rubyw.exe)
2014/03/11 01:50:24 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 50844, Process: rubyw.exe)
2014/03/11 01:51:28 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 50882, Process: rubyw.exe)
2014/03/11 01:52:25 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 50901, Process: rubyw.exe)
2014/03/11 01:53:29 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 51005, Process: rubyw.exe)
2014/03/11 01:54:26 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.85.34 (Type: outgoing, Port: 51047, Process: rubyw.exe)
2014/03/11 01:55:30 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51124, Process: rubyw.exe)
2014/03/11 01:56:26 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51175, Process: rubyw.exe)
2014/03/11 01:57:31 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51227, Process: rubyw.exe)
2014/03/11 01:58:27 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51328, Process: rubyw.exe)
2014/03/11 01:59:32 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51438, Process: rubyw.exe)
2014/03/11 02:00:28 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51471, Process: rubyw.exe)
2014/03/11 02:01:33 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51498, Process: rubyw.exe)
2014/03/11 02:02:29 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51518, Process: rubyw.exe)
2014/03/11 02:03:33 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51542, Process: rubyw.exe)
2014/03/11 02:04:30 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51566, Process: rubyw.exe)
2014/03/11 02:05:34 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51588, Process: rubyw.exe)
2014/03/11 02:06:31 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51660, Process: rubyw.exe)
2014/03/11 02:07:35 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51682, Process: rubyw.exe)
2014/03/11 02:08:32 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51711, Process: rubyw.exe)
2014/03/11 02:09:36 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51765, Process: rubyw.exe)
2014/03/11 02:10:40 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51800, Process: rubyw.exe)
2014/03/11 02:11:37 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51845, Process: rubyw.exe)
2014/03/11 02:12:41 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51874, Process: rubyw.exe)
2014/03/11 02:13:38 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51918, Process: rubyw.exe)
2014/03/11 02:14:42 -0500 LEVIATHAN-MKII Chad IP-BLOCK 93.115.92.169 (Type: outgoing, Port: 51968, Process: rubyw.exe)

Link to post
Share on other sites

This posting should tell you why it's blocked

 

https://malwarebytes.zendesk.com/forums/21637537-Software-Blocked

 

MBAM 2.0 RC (beta software) can possibly help you with this as it should support whitelist based on application.

 

https://forums.malwarebytes.org/index.php?showtopic=143888

 

Thanks for the informative and to-the-point reply. I have no doubt that the shared IP Address across multiple domains is probably what's causing the issue.

 

I downloaded the MBAM 2.0 RC and while there is no method (though I haven't delved too deep into the new interface), there was a trend that I noticed among the tooltip bubbles. Although the IP Addresses and Port numbers are dynamic, the tooltip bubble in the new interface consistently refers to a folder in "C:\Users\Chad\AppData\Local\Temp\ocr9B0.tmp\bin\rubyw.exe. Originally when I first started using PIA, that temp folder always changed, however, the last couple days, I tweaked the settings to always connect to the same server located closest to me for performance reasons (specifically US - Texas). Prior to that I allowed PIA to select which server I connect to (not good for performance or security I realize), which leads me to believe that PIA creates a directory based off which server you connect to. Now whether that changes whenever I shut down my PC, I am uncertain. To compound the mystery as I type this, I am currently not connected to any of PIA's servers, which has me curious as to why there are outgoing requests to these domains possibly for caching purposes, but nonetheless unusual. If I were to connect, it might be possible that the folder will once again change and honestly, I don't see myself creating an exception for every instance a new folder is created for obvious security reasons.

 

Based on this information, would you suggest requesting a refund and uninstalling Private Internet Access and finding another solution? I doubt any malicious activity is occurring, but as a security-conscious individual, I am moderately suspicious of all this and that's nothing new as I often don't even trust links anymore unless I am in a sandboxed browser environment. 

Link to post
Share on other sites

After doing a little bit more digging, it appears that there could be a myriad of reasons why PIA's ruby runtime environment is flagged by MBAM's realtime protection module. According to this (https://www.privateinternetaccess.com/forum/index.php?p=/discussion/790/questions-regarding-the-backround-network-scans-of-rubyw-exe/p1) article, an alleged IT security consultant found several unusual requests to a variety of domains, which occured when not connected to the VPN.

 

When PIA was questioned about this by the same individual he asked the following:

Why does the software do this?

Please explain in detail. I'm not scared by technical descriptions, but would consider answers like "to make the software better" as an affront.

Why are connections to IPs being established that clearly have no connection with privateinternetaccess?

How are addresses transmitted? What data is transmitted?

Why is rubyw.exe created dynamically on every start and how can I avoid this?

My local firewall considers the exe as a new file every time (which it is) and won't remember the last allow/deny-answer.

Can the be scanning be deactivated?

The scanning probably violates the internet agreement I have with my landlord. Also I find it unnecessary to have scans run constantly when I'm using PIA maybe twice a week.

Please confirm that you are NOT scanning or validating "free proxies" that may or may not be malicious, to use those later in paid VPN connections. Can I be sure that VPN connections go only through your very own servers or contracted partners that are obliged to your privacy and security terms.

In response to this a Tier II Technical Support PIA Inc technician known only as "alex b" replied to each of his questions with the following:

Rubyw.exe is the windows ruby interpreter, and our software, runs as a packaged copy of our script + all required gems + the executable.  It bootstraps from the executable, extracts a copy of ruby and all gems needed to run.  Our developers are working on making it so it only does a single extraction, as we do have a number of complaints about it's re-extraction into a temp location every time it's run.  As this is a ruby script, it's seen as rubyw.exe, even though it's our app running.

This would explain why there are randomized folders and processes each time PIA is executed.

Why does the software do this?:  Our software makes network calls back to our servers in order to check and verify the ping time between your machine and our various servers.  As we do not maintain all servers in a geo-location in the same datacenter, it's possible to have some datacenters be faster than others.

This makes some degree of sense, but at the same time, why is this happening so frequently, when honestly you'll probably only shave a few ms here and there.

Non-PIA IP's being contacted:  This is just a rDNS error.  Your application is doing a rDNS lookup, and like a phone book, rDNS has to be updated, we keep ours updated to be reasonable, and to help disguise some of the connections, if you can run this without any access to rDNS, or nameserver lookups, you'll likely see that all of these are to PIA IP addresses.

I'm not sure I buy his argument here, while I get this can be used to conceal some connections, when you connect to PIA's servers the IP Addresses assigned are already shared amongst the servers, which means all you could obtain from a reverse DNS lookup is the DNS of PIA's servers. Until more information about such matters is revealed (which probably never will be for the sake of "security," I'm not buying it).

Scanning deactivation - At this time, no, this is used to help determine the best server for you to connect to within the geo-location.

Mind you this article was posted about a year ago, still waiting for an answer to why they haven't provided a solution to this.

Proxy scanning - We do no proxy scanning, and you will only be connecting to a PIA owned server for any VPN connections that you make.  We do not route customer connections anywhere but to servers under our control.

This is probably the most compelling answer out of the entire response, which to me is near-complete-paradox to the technicians denial of suspicious connections that may or may not be malicious. If they are in fact routing clients to only servers they own then why are the IP-Addresses coming back as potentially malicious especially when you consider his statement about rDNS. All of a sudden you have malicious domains occupying DNS you once used? I'm no network expert, but that to me sounds borderline admission - if not indications that they are constantly under attack - of suspicious routing.

At this point, I cannot formerly declare that they are definitely suspicious, but I also cannot say they are not either. *sigh* the price we pay for not knowing things - literally.

Link to post
Share on other sites

  • 1 month later...

I second this post long time user with massive amounts of references this is driving me nuts. I have added exceptions it still prevents connection. I cringe at having to disable malwarebytes but its the only way to engage my vpn please fix this i love you guys!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.