Jump to content

Private Internet Access being blocked as a worm


Go to solution Solved by JPopovic,

Recommended Posts

I just had a popup from MWB concerning PIA which I use for their VPN service. It alerted me that it was blocking a worm.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/22/20
Protection Event Time: 5:44 PM
Log File: 724a971e-2d2d-11eb-bd2a-3c970e169675.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1112
Update Package Version: 1.0.33286
License: Premium

-System Information-
OS: Windows 10 (Build 19041.630)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Worm
Domain: 
IP Address: 31.171.154.67
Port: 0
(No malicious items detected)
Type: Outbound
File: C:\Program Files\Private Internet Access\pia-service.exe

(end)

Link to post
Share on other sites

I got pretty much the exact same alert 25 minutes ago.

I jumped on a chat to PIA and a member said that "any application that will change the network settings or any application that will bypass the regular tunnel of the device will be consider as worm by malwarebytes."

The same member also mention it has been a issue previously due to updates in MWB?

I have been running them both for years and this was my first time getting this alert.

Solution given was:

I see about this issue this can be resolved by adding the following files to the exception list of your Malwarebytes.

File Exclusions:
Windows:


    C:\Program Files\Private Internet Access

    C:\Program Files\Private Internet Access\tap\win10

    C:\Program Files\Private Internet Access\pia-client.exe

    C:\Program Files\Private Internet Access\pia-openvpn.exe

    C:\Program Files\Private Internet Access\pia-service.exe

    C:\Program Files\Private Internet Access\pia-support-tool.exe

    C:\Program Files\Private Internet Access\pia-wgservice.exe

    C:\Program Files\Private Internet Access\pia-unbound.exe

Once you've added the above exclusions to your antivirus software, be sure to Click "OK" to save. Then a reboot and reinstallation are required to establish these security changes. Please see our guides section for instructions on how to reinstall the VPN software or download a new copy of our software here.
https://www.privateinternetaccess.com/pages/download

 

Curious to see other responses.

Link to post
Share on other sites
34 minutes ago, ccodes said:

I have been running them both for years and this was my first time getting this alert.

Same here. I got an update to the app on my android device earlier today and I'm thinking the blocked address might be the update server for PIA because I've had the same error every five minutes or so for the past hour. At this point I'm going to wait for an answer from someone at MWB because its not my anti virus that is causing the problem in my eyes.

Link to post
Share on other sites

Got pretty much the same event about an hour ago. So I restored from a Macrium backup taken at 9am this morning. No change, still happened. Uninstalled PIA. Problem gone. Will likely follow above guidance to allow PIA an exclusion (as listed above).

IP address 31.171.154.67 translates to Albania FWIW.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/22/20
Protection Event Time: 7:00 PM
Log File: 0957fc0a-2d38-11eb-b756-fc4dd43f4d6a.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1112
Update Package Version: 1.0.33286
License: Premium

-System Information-
OS: Windows 10 (Build 18362.1198)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Worm
Domain:
IP Address: 31.171.154.67
Port: 0
(No malicious items detected)
Type: Outbound
File: C:\Program Files\Private Internet Access\pia-service.exe

(end)

Link to post
Share on other sites

Hmm, I see that now that I've looked up the IP. I put a support ticket into PIA to ask why their client would be trying to connect to this particular address and will post here when I get a reply. Because of the randomness of where the PIA app wants to communicate it makes me even more wary of simply whitelisting it all.

Link to post
Share on other sites

If you check for updates, this should no longer be blocked.  The current database as of this posting is 1.0.33334.  You can verify which database version you have installed by opening Malwarebytes and navigating to settings by clicking the small gear icon in the upper right, then selecting the About tab and the database version should be listed under Update package version.  If you still have an earlier version, click the Check for updates link under the About tab and Malwarebytes should download the latest database.  Once updated, wait approximately 30 seconds for the database/protection to refresh itself, then test to verify that the block no longer occurs (or you may restart the system if you don't want to wait for the database to refresh after updating).

If you still see the block with the latest database please let us know.

Thanks

  • Thanks 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.