search

oxen-io / session-desktop

Session Desktop - Onion routing based messenger
https://getsession.org
GNU General Public License v3.0
1.53k stars 195 forks source link

Malwarebytes blocks Session's attempts to connect to seemingly random IPs at random times. These events are flagged as either "Trojan" or "Compromised." #2950

Open sometimesthings123 opened 12 months ago

sometimesthings123 commented 12 months ago

Code of conduct

Self-training on how to write a bug report

Is there an existing issue for this?

Current Behavior

(I posted about this on the subreddit as well, but my post got deleted because the account didn't have enough karma. So I came here.)

Like the title says, Malwarebytes is currently blocking Session.exe's attempts to connect to random IPs. These events get flagged as either "Trojan" or "Compromised." Running said IPs through VirusTotal returns a couple of warnings for "Malware" or "Phishing."

Examples of said IPs include 205.185.113.44 and 104.238.205.128, but there's plenty more.

I've gotten false flags from Malwarebytes in the past, but the fact that VirusTotal recognizes these addresses worries me.

Expected Behavior

For Malwarebytes to not react to Session, and for the IPs to turn up clean on VirusTotal.

Steps To Reproduce

  1. Be on Windows 10
  2. Install Malwarebytes and either buy premium or get free trial
  3. Download Session for desktop from getsession
  4. Open Session
  5. Wait until the described event occurs (This might take a while.)

Desktop Version

v1.11.4

Anything else?

No response

KeeJef commented 11 months ago

Those are both Service Node IP addresses, Session connects to random Service Nodes in the network to deposit messages into swarms, fetch messages from swarms and to setup paths for Onion routing. This is a false flag, from Malwarebytes, i suppose they are being overly aggressive about IP addresses your computer is connecting to, might have to flag as a false detection with them.

sometimesthings123 commented 11 months ago

Those are both Service Node IP addresses, Session connects to random Service Nodes in the network to deposit messages into swarms, fetch messages from swarms and to setup paths for Onion routing. This is a false flag, from Malwarebytes, i suppose they are being overly aggressive about IP addresses your computer is connecting to, might have to flag as a false detection with them.

Good to know! I'm still a bit confused as to why different service nodes elicit different reactions, but I guess those are questions only Malwarebytes or VirusTotal could answer. Thanks for all the hard work on Session!

KeeJef commented 11 months ago

Would you be able to file a false report with MalwareBytes here? https://forums.malwarebytes.com/forum/122-false-positives/ i think they may need the detection logs, you can link to this Github issue too