Private Internet Access being blocked as a worm

[randumbguy]

I just had a popup from MWB concerning PIA which I use for their VPN service. It alerted me that it was blocking a worm.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/22/20
Protection Event Time: 5:44 PM
Log File: 724a971e-2d2d-11eb-bd2a-3c970e169675.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1112
Update Package Version: 1.0.33286
License: Premium

-System Information-
OS: Windows 10 (Build 19041.630)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Worm
Domain: 
IP Address: 31.171.154.67
Port: 0
(No malicious items detected)
Type: Outbound
File: C:\Program Files\Private Internet Access\pia-service.exe

(end)

[ccodes]

I got pretty much the exact same alert 25 minutes ago.

I jumped on a chat to PIA and a member said that "any application that will change the network settings or any application that will bypass the regular tunnel of the device will be consider as worm by malwarebytes."

The same member also mention it has been a issue previously due to updates in MWB?

I have been running them both for years and this was my first time getting this alert.

Solution given was:

I see about this issue this can be resolved by adding the following files to the exception list of your Malwarebytes.

File Exclusions:
Windows:

    C:\Program Files\Private Internet Access

    C:\Program Files\Private Internet Access\tap\win10

    C:\Program Files\Private Internet Access\pia-client.exe

    C:\Program Files\Private Internet Access\pia-openvpn.exe

    C:\Program Files\Private Internet Access\pia-service.exe

    C:\Program Files\Private Internet Access\pia-support-tool.exe

    C:\Program Files\Private Internet Access\pia-wgservice.exe

    C:\Program Files\Private Internet Access\pia-unbound.exe

Once you've added the above exclusions to your antivirus software, be sure to Click "OK" to save. Then a reboot and reinstallation are required to establish these security changes. Please see our guides section for instructions on how to reinstall the VPN software or download a new copy of our software here.
https://www.privateinternetaccess.com/pages/download

 

Curious to see other responses.

[randumbguy]

34 minutes ago, ccodes said:

I have been running them both for years and this was my first time getting this alert.

Same here. I got an update to the app on my android device earlier today and I'm thinking the blocked address might be the update server for PIA because I've had the same error every five minutes or so for the past hour. At this point I'm going to wait for an answer from someone at MWB because its not my anti virus that is causing the problem in my eyes.

[AK6DN]

Got pretty much the same event about an hour ago. So I restored from a Macrium backup taken at 9am this morning. No change, still happened. Uninstalled PIA. Problem gone. Will likely follow above guidance to allow PIA an exclusion (as listed above).

IP address 31.171.154.67 translates to Albania FWIW.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/22/20
Protection Event Time: 7:00 PM
Log File: 0957fc0a-2d38-11eb-b756-fc4dd43f4d6a.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1112
Update Package Version: 1.0.33286
License: Premium

-System Information-
OS: Windows 10 (Build 18362.1198)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Worm
Domain:
IP Address: 31.171.154.67
Port: 0
(No malicious items detected)
Type: Outbound
File: C:\Program Files\Private Internet Access\pia-service.exe

(end)

[randumbguy]

Hmm, I see that now that I've looked up the IP. I put a support ticket into PIA to ask why their client would be trying to connect to this particular address and will post here when I get a reply. Because of the randomness of where the PIA app wants to communicate it makes me even more wary of simply whitelisting it all.

[JPopovic]

Hello,

The block will be removed.

Thank you and let us know if you need any additional help!

[SiggyMarvin]

So...do you mean this will just be part of a future malewarebytes update?  Also, are you recommended we do the white listing of PIA?  Not really comfortable with that either.

[SiggyMarvin]

[exile360]

If you check for updates, this should no longer be blocked.  The current database as of this posting is 1.0.33334.  You can verify which database version you have installed by opening Malwarebytes and navigating to settings by clicking the small gear icon in the upper right, then selecting the About tab and the database version should be listed under Update package version.  If you still have an earlier version, click the Check for updates link under the About tab and Malwarebytes should download the latest database.  Once updated, wait approximately 30 seconds for the database/protection to refresh itself, then test to verify that the block no longer occurs (or you may restart the system if you don't want to wait for the database to refresh after updating).

If you still see the block with the latest database please let us know.

Thanks

[AK6DN]

Ok, I updated MWB to 1.0.33334 and reinstalled PIA v2.5.1 and they are now happy with each other. No spurious MWB worm messages, PIA works fine.

[exile360]

Excellent, thanks for letting us know

If there is anything else we might help with please post.

Thanks

[SiggyMarvin]

So far so good.  Updated to 1.0.33336 and then restarted both PIA & MWB.  Seems OK so far.  Thanks!  Will do a system restart later.

[randumbguy]

I'm seeing the same thing again but with a different IP address this time around. I've attached a screenshot of the events from last night and yesterday. I'm also posting the latest event report below:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/18/21
Protection Event Time: 6:12 PM
Log File: f3d5c7b2-7257-11eb-aa01-3c970e169675.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37271
License: Premium

-System Information-
OS: Windows 10 (Build 19041.804)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: RiskWare
Domain: 
IP Address: 212.102.52.87
Port: 0
(No malicious items detected)
Type: Outbound
File: C:\Program Files\Private Internet Access\pia-service.exe

(end)

[JPopovic]

Hello,

This is a legit block since there is a potentially malicious file that is communicating with this IP address.

Here is the VirusTotal detection:

https://www.virustotal.com/gui/file/f4455ede7b38234cb5072c608990fada9a63fb3806df9638e03506e470c06902/detection

 

Thank you!