gaming center hitting a trojan site/IP

[JCuss]

Anyone out there run Malwarebytes?  I got this alert today:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/1/21
Protection Event Time: 1:46 PM
Log File: 9065ce6e-22df-11ec-a071-b42e99a5b6fb.json

-Blocked Website Details-

Malicious Website: 1
, C:\ProgramData\Wargaming.net\GameCenter\wgc.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 178.175.73.40
Port: 6881
Type: Outbound
File: C:\ProgramData\Wargaming.net\GameCenter\wgc.exe

 

Basically, Malwarebytes is saying that the Wargames Gaming Center executable attempted to hit a site that was identified (having) a trojan, and did this on port 6881.  Apparently the site has been blacklisted by others, including Barracuda.  I guess I should be asking Wargaming about this...

[Maredraco]

Thank you for providing the detailed information. This is very helpful to our investigation. We will investigate it on our side and possibly reach out to them to whitelist that port for us. Sometimes false positives like this can be triggered by bigger patches and things like that. In any case, we will investigate it on our side, for now if it blocks your connection you might need to whitelist on your side. Is anyone else using this same protection and having the same error?

[MidnightPhoenix07]

26 minutes ago, Maredraco said:

Thank you for providing the detailed information. This is very helpful to our investigation. We will investigate it on our side and possibly reach out to them to whitelist that port for us. Sometimes false positives like this can be triggered by bigger patches and things like that. In any case, we will investigate it on our side, for now if it blocks your connection you might need to whitelist on your side. Is anyone else using this same protection and having the same error?

I haven't had it with this patch, but it was happening to me a few patches ago with the PTS update and once for the live server pre-download.

[Crucis]

34 minutes ago, Maredraco said:

Thank you for providing the detailed information. This is very helpful to our investigation. We will investigate it on our side and possibly reach out to them to whitelist that port for us. Sometimes false positives like this can be triggered by bigger patches and things like that. In any case, we will investigate it on our side, for now if it blocks your connection you might need to whitelist on your side. Is anyone else using this same protection and having the same error?

"Whitelist"?  What is whitelisting?

[Maredraco]

5 minutes ago, Crucis said:

"Whitelist"?  What is whitelisting?

Whitelisting a port is opening the port to receive data as "trusted" you can read more about it in pages like this: https://www.tomshardware.com/news/how-to-open-firewall-ports-in-windows-10,36451.html

13 minutes ago, MidnightPhoenix07 said:

I haven't had it with this patch, but it was happening to me a few patches ago with the PTS update and once for the live server pre-download.

Oh yes, because of the communication overseas for the PTS authentication service I can see that definitely being flagged. Do you use the same protections as the OP?

[MidnightPhoenix07]

Just now, Maredraco said:

Oh yes, because of the communication overseas for the PTS authentication service I can see that definitely being flagged. Do you use the same protections as the OP?

Yes, Malwarebytes same as the OP.

And for both the IP was listed as being in South America (not even Russia for the PTS server). But a day or two later for the live client, it downloaded fine without any flag.

[Ensign_Cthulhu]

Malwarebytes panics over everything Russian. 

[DeathLord1969]

5 hours ago, Crucis said:

"Whitelist"?  What is whitelisting?

Basically it's the opposite of blacklisting.

[CylonRed]

Very likely a false positive.

[JCuss]

Well, Malwarebytes is still flagging the IP as having a trojan.  Even when I plug the IP into my web browser it gets flagged, so it whitelisting a port wouldn't change it.  Besides, until I know exactly what 178.175.73.40  is, why would I whitelist it?  Is this a wargaming server or is it something else?

Does Wargaming use bittorrent to download patches?

[Kraayt]

I've always had this issue with Malwarebytes...but I'm not about to remove it.  

[iRA6E]

Honestly not hard to see why Malware bytes picks up in it.  Essentially you have a piece of software downloading installations at it's own command..  It's the definition of a trojan.    I don't use it, but would certainly feel more comfortable that its looking hard at this behavior.      

[_GreyBeard_]

Looks like the built in bittorrent is still as poorly coded as ever. As mentioned above likely nothing more than Malwarebytes being over zealous and a false positive.

 

They ever fix that other lovely little bit with it where if you don't limit the download speed in WGC that when it decides to download anything that it will cripple your internet connection to the exclusion of anything else until the download is done?

[Raiden_Shogun_prpr]

I had a similar issue with Malwarebytes flagging everything when I had a download/update from WGC. I’m pretty sure it’s all false positives.

[Just_Jack_2021]

On 10/1/2021 at 1:05 PM, Maredraco said:

Thank you for providing the detailed information. This is very helpful to our investigation. We will investigate it on our side and possibly reach out to them to whitelist that port for us. Sometimes false positives like this can be triggered by bigger patches and things like that. In any case, we will investigate it on our side, for now if it blocks your connection you might need to whitelist on your side. Is anyone else using this same protection and having the same error?

I have mcafee and have seen where it blocked a couple risky connections in the past couple of weeks.

[Super_Tactical_Droid]

 well this is odd today it seems the launcher is causing Malwarebytes today to  go nope thats not a normal launcher and now it seems to think its both compromised & is a trojan as seen here: