randumbguy Posted November 23, 2020 ID:1422659 Share Posted November 23, 2020 I just had a popup from MWB concerning PIA which I use for their VPN service. It alerted me that it was blocking a worm. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/22/20 Protection Event Time: 5:44 PM Log File: 724a971e-2d2d-11eb-bd2a-3c970e169675.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1112 Update Package Version: 1.0.33286 License: Premium -System Information- OS: Windows 10 (Build 19041.630) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Worm Domain: IP Address: 31.171.154.67 Port: 0 (No malicious items detected) Type: Outbound File: C:\Program Files\Private Internet Access\pia-service.exe (end) Link to post Share on other sites More sharing options...
ccodes Posted November 23, 2020 ID:1422661 Share Posted November 23, 2020 I got pretty much the exact same alert 25 minutes ago. I jumped on a chat to PIA and a member said that "any application that will change the network settings or any application that will bypass the regular tunnel of the device will be consider as worm by malwarebytes." The same member also mention it has been a issue previously due to updates in MWB? I have been running them both for years and this was my first time getting this alert. Solution given was: I see about this issue this can be resolved by adding the following files to the exception list of your Malwarebytes. File Exclusions: Windows: C:\Program Files\Private Internet Access C:\Program Files\Private Internet Access\tap\win10 C:\Program Files\Private Internet Access\pia-client.exe C:\Program Files\Private Internet Access\pia-openvpn.exe C:\Program Files\Private Internet Access\pia-service.exe C:\Program Files\Private Internet Access\pia-support-tool.exe C:\Program Files\Private Internet Access\pia-wgservice.exe C:\Program Files\Private Internet Access\pia-unbound.exe Once you've added the above exclusions to your antivirus software, be sure to Click "OK" to save. Then a reboot and reinstallation are required to establish these security changes. Please see our guides section for instructions on how to reinstall the VPN software or download a new copy of our software here.https://www.privateinternetaccess.com/pages/download Curious to see other responses. Link to post Share on other sites More sharing options...
randumbguy Posted November 23, 2020 Author ID:1422664 Share Posted November 23, 2020 34 minutes ago, ccodes said: I have been running them both for years and this was my first time getting this alert. Same here. I got an update to the app on my android device earlier today and I'm thinking the blocked address might be the update server for PIA because I've had the same error every five minutes or so for the past hour. At this point I'm going to wait for an answer from someone at MWB because its not my anti virus that is causing the problem in my eyes. Link to post Share on other sites More sharing options...
AK6DN Posted November 23, 2020 ID:1422680 Share Posted November 23, 2020 Got pretty much the same event about an hour ago. So I restored from a Macrium backup taken at 9am this morning. No change, still happened. Uninstalled PIA. Problem gone. Will likely follow above guidance to allow PIA an exclusion (as listed above). IP address 31.171.154.67 translates to Albania FWIW. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/22/20 Protection Event Time: 7:00 PM Log File: 0957fc0a-2d38-11eb-b756-fc4dd43f4d6a.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1112 Update Package Version: 1.0.33286 License: Premium -System Information- OS: Windows 10 (Build 18362.1198) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Worm Domain: IP Address: 31.171.154.67 Port: 0 (No malicious items detected) Type: Outbound File: C:\Program Files\Private Internet Access\pia-service.exe (end) Link to post Share on other sites More sharing options...
randumbguy Posted November 23, 2020 Author ID:1422704 Share Posted November 23, 2020 Hmm, I see that now that I've looked up the IP. I put a support ticket into PIA to ask why their client would be trying to connect to this particular address and will post here when I get a reply. Because of the randomness of where the PIA app wants to communicate it makes me even more wary of simply whitelisting it all. Link to post Share on other sites More sharing options...
Staff Solution JPopovic Posted November 23, 2020 Staff Solution ID:1422715 Share Posted November 23, 2020 Hello, The block will be removed. Thank you and let us know if you need any additional help! Link to post Share on other sites More sharing options...
SiggyMarvin Posted November 23, 2020 ID:1422872 Share Posted November 23, 2020 So...do you mean this will just be part of a future malewarebytes update? Also, are you recommended we do the white listing of PIA? Not really comfortable with that either. Link to post Share on other sites More sharing options...
SiggyMarvin Posted November 23, 2020 ID:1422873 Share Posted November 23, 2020 Link to post Share on other sites More sharing options...
exile360 Posted November 24, 2020 ID:1422975 Share Posted November 24, 2020 If you check for updates, this should no longer be blocked. The current database as of this posting is 1.0.33334. You can verify which database version you have installed by opening Malwarebytes and navigating to settings by clicking the small gear icon in the upper right, then selecting the About tab and the database version should be listed under Update package version. If you still have an earlier version, click the Check for updates link under the About tab and Malwarebytes should download the latest database. Once updated, wait approximately 30 seconds for the database/protection to refresh itself, then test to verify that the block no longer occurs (or you may restart the system if you don't want to wait for the database to refresh after updating). If you still see the block with the latest database please let us know. Thanks 1 Link to post Share on other sites More sharing options...
AK6DN Posted November 24, 2020 ID:1422981 Share Posted November 24, 2020 Ok, I updated MWB to 1.0.33334 and reinstalled PIA v2.5.1 and they are now happy with each other. No spurious MWB worm messages, PIA works fine. Link to post Share on other sites More sharing options...
exile360 Posted November 24, 2020 ID:1422990 Share Posted November 24, 2020 Excellent, thanks for letting us know If there is anything else we might help with please post. Thanks Link to post Share on other sites More sharing options...
SiggyMarvin Posted November 24, 2020 ID:1422993 Share Posted November 24, 2020 So far so good. Updated to 1.0.33336 and then restarted both PIA & MWB. Seems OK so far. Thanks! Will do a system restart later. Link to post Share on other sites More sharing options...
randumbguy Posted February 19, 2021 Author ID:1439845 Share Posted February 19, 2021 I'm seeing the same thing again but with a different IP address this time around. I've attached a screenshot of the events from last night and yesterday. I'm also posting the latest event report below: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 2/18/21 Protection Event Time: 6:12 PM Log File: f3d5c7b2-7257-11eb-aa01-3c970e169675.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37271 License: Premium -System Information- OS: Windows 10 (Build 19041.804) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: RiskWare Domain: IP Address: 212.102.52.87 Port: 0 (No malicious items detected) Type: Outbound File: C:\Program Files\Private Internet Access\pia-service.exe (end) Link to post Share on other sites More sharing options...
Staff JPopovic Posted February 19, 2021 Staff ID:1439856 Share Posted February 19, 2021 Hello, This is a legit block since there is a potentially malicious file that is communicating with this IP address. Here is the VirusTotal detection: https://www.virustotal.com/gui/file/f4455ede7b38234cb5072c608990fada9a63fb3806df9638e03506e470c06902/detection Thank you! Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now