Jump to content

ipfs.exe libp2p connections trigger false-positive RTP events


Recommended Posts

ipfs.exe (https://github.com/ipfs/go-ipfs) is bundled inside IPFS Desktop app (https://docs.ipfs.io/install/ipfs-desktop/)

IPFS Desktop uses it to run a IPFS node that joins a public DHT libp2p swarm (https://libp2p.io) and connects to other peers, as part of content routing (more about IPFS at https://ipfs.io)

Seems that p2p behavior (establishing outgoing connections to specific peers)  is triggering various  RTP detection events (Compromised, Trojan, Malware):
Quote

67765203_ipfs-exe-peers-triggeringRTPdetection.png.74c7e4f88c70ae9de46159f9905acb9c.png


I attach some sample logs:
ipfs.exe-false-positive-compromised.txt
 

ipfs.exe-false-positive-malware.txt
ipfs.exe-false-positive-trojan2.txt


I suspect those are false-positives due to p2p behavior.
Blocking outgoing connections degrades performance of IPFS when Malwarebytes is installed.

Would it be possible to safelist ipfs.exe, so its p2p behavior does not trigger those RTP events?

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

Hello,

Regarding ipfs.exe, we aren't detecting this file as malware, but rather some of the IP addresses that it's trying to connect to as malware. However, those blocks are a bit old and I'm not seeing any recent malware activity on them so we will unblock both that you provided above:

162.33.179.228
147.182.234.117

Thanks for letting us know. And let us know if there are other IP addresses that are being flagged so we can possibly unblock those too.

Regards

Link to post
Share on other sites

Thank you for quick response.
Unfortunately, submitting every blocked IP over and over does not scale.
The average IPFS Desktop node will connect to thousands  of peers over a few hours of being online, and Malwarebytes seems to get triggered all the time.
Given that there are hundreds or peers, having to manually process each warning makes a horrible UX.

Is there a straightforward way our users could exclude ALL ipfs.exe network activity from being monitored?
Or for Malwarebytes to be smarter about (A) expiring old records for IP blocks (B) libp2p/DHT connections?

Link to post
Share on other sites

56 minutes ago, lidel said:

Is there a straightforward way our users could exclude ALL ipfs.exe network activity from being monitored?

As for why Malwarebytes blocks Torrent based software, this is because Torrent based software, are what are known as Peer-to-Peer (P2P) applications meaning it connects to many different servers/IP addresses (this is how files are downloaded through Torrent based software) and because of this, sometimes Torrent based software will connect to a server that is also known for hosting malicious content.  This is because servers/IP addresses are often shared by multiple sites, so while what you are downloading through Torrent based software may be perfectly safe, some of the sites hosted on some of the IP addresses that Torrent based software connects to may be malicious.  Such connections are not a threat however, and you may exclude Torrent based software from the Web Protection component in Malwarebytes to stop the blocks from happening without compromising your protection (your web browser and other critical web facing programs will still be fully protected from malicious websites and other malicious content).  To do so, add your Torrent based software.exe to your exclusions using the method described under the Exclude an Application that Connects to the Internet section of this support article.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.