Questions Regarding The Backround Network Scans Of rubyw.exe
I realized that while not connected to a VPN the PIA manager uses rubyw.exe to constantly make dozens of connections to various IP addresses, some seem to belong to privateinternetaccess (e.g. 50.23.131.243-static.reverse.softlayer.com:8888), some are clearly not (e.g. star-01-03-sjc1.facebook.com:80).
Screenshot of TCPView:
Being an IT security consultant I'm very concerned with security (which is why I'm using and paying for PIA), so I have some questions:
Screenshot of TCPView:
Being an IT security consultant I'm very concerned with security (which is why I'm using and paying for PIA), so I have some questions:
- Why does the software do this? Please explain in detail. I'm not scared by technical descriptions but would consider answers like "to make the software work better" as an affront.
- Why are connections to IPs being established that clearly have no connection with privateinternetaccess? How are addresses selected? What data is transmitted?
- Why is rubyw.exe created dynamically on every start and how can I avoid this? My local firewall considers the exe as new file everytime (which it is) and won't remember the last allow/deny-answer.
- Can the scanning be deactivated? The scanning probably violates the internet agreement that I have with my landlord. Also I find it unnecessary to have scans run constantly when I'm using PIA maybe twice a week.
- Please confirm that you are NOT scanning or validating "free proxies" that may or may not be malicous, to use those later in paid VPN connections. Can I be sure that VPN connections go only through your very own servers or contracted partners that are obliged to your privacy and security terms?
I am going to analyze the HTTP traffic and parse the ruby scripts myself, anyway. But I would be happy to match answers from you with my own findings to get a clearer picture and decide if I can continue using PIA.
Regards, djk
Comments
This answers all my questions very well and it matches with my findings and assumptions so far. I will still validate the rDNS phenomen to check if all IPs can be assigned to PIA somehow, but what you describe sounds likely and I don't expect anything different to see.
I hope that you can fix the unpacking of rubyw.exe some time. From a security standpoint its not ideal to give an interpreter full Internet access, because every application/malware can then execute their own scripts through it. Its the same with java.exe. - Maybe you can find a way to pack/compile the scripts and interpreter together into an exe that does only unpack in memory, just like Eclipse it does with java.
Also, an option to reduce scanning would be nice. As for now, I disabled autostart and just start it manually when needed. Have to allow the rubyw.exe in the firewall manually, anyway.
@Steevo: Even though I searched the forum before posting, I wasn't sure if this was answered before somewhere and wanted to give other users the chance to enlighten me. Also I thought, an answer from tech support might be interesting for others as well, and seeing all the "me too" replys, that seemed about right.
Also, I'd like to comment that the OP by djkrose was much needed, as I too had the same question and found this post very helpful and negated the need for me to contact support to ask them the same questions they probably get all day.
There's something inherently wrong with a security-oriented product as PIA not jumping on a problem like this, which wrongly encourages people to relax (!) security settings. If this isn't addressed soon I'll deactivate PIA and not only stop recommending it but will actively discourage its use. It's been long enough; more than six months (!) since it was first flagged.
I do not run Malwarebytes software and I have no problem. You can arbitrarily say one side or the other is to blame, but it is not really so simple for either side. PIA has no option to make Malwarebytes software accept that their VPN software is not malware. And Malwarebytes may not even know about the problem.
You have several choices. You can either accept that the VPN is not malware and deactivate the Malwarebytes software that is causing problems, or accept that Malwarebytes is more trustworthy and stop using the VPN because it would interfere with your chosen programs.
Or if you would like, you can contact Malwarebytes and ask them what needs to be done to remedy the situation. (Like I said, I do not use their software, but I have contacted them before, and I received a reply within about 30 hours telling me the answer to the question I asked.)
So you were talking about rubyw.exe, which is the interpreter for the Ruby programming language in which PIA Manager is written. And I already told you why PIA Manager contacts PIA servers even if you're not connected.
Perhaps you didn't understand the reason, so I'll elaborate on my previous post. PIA has a bunch of servers in every location. Connections to these servers need to be made based on their IP addresses, but servers can be down for maintenance (or other reasons), some servers could experience heavy load while others sit idle, or servers could get decomissioned for a variety of reasons. The set of available IP addresses and a subset of the currently least loaded IP addresses is managed by PIA. To get this information to its users, PIA has the client application pull it from their website in regular intervals. The application then does additional checks to see if IP addresses are reachable and to determine network latency by contacting those IP addresses directly.
Mystery solved?
You can, and probably should, be unhappy with the application's memory footprint and unusual behaviour. I'm not refuting your right to ask these questions. Just don't smash down the answers you're given just because you don't like them.
For the record, I never suggested high memory consumption had anything to do with testing server reachability and latency. It's not the answer to every one of your questions.
My latest find is AVG2014 keeps alerting me to identity theft/access when Rubyw.exe starts up each time. I cannot treat Rubyw as 'safe' because it is a different file each time.
I researched what other VPN service providers were offering and some have best accliams for their own in house written client applications. The problem with PIA client is it is quite a good re-package and GUI for the open source application, but seems to lack development to integrate with the real world of commonly used firewalls and anti virus applications in personal computers.
Since PIA Client is the front door to new and less techi customers wanting a simple clean compatible background client, it should represent the commercial image and brand of the company, I certainly will be looking at the client apps used by other VPN services since that is what I am confronted with every day I boot my PC.
I don't think open software integrated the way that PIA Client is deserves to represent PIAs front door, when the growing market will be from less technical users who will not know how to recognise issues in their AV programs and disable protection features for PIA Client to run.
I will sit waiting and holding my breath for something better!
Hell, OpenVPN defaults to UDP until you tell it to use TCP.