Malwarebytes detections

Hi Guys,

I am new to Syncthing having only set it up yesterday to sync a database between my Win10PC and my android phone. I then created a startup shortcut in Windows so it will start every time I reboot.

When I restarted my PC Malwarebytes chucked out 4 different warnings. The first 2 warnings identified the syncthing.exe file as malware and the second 2 notifications related to suspicious websites - namely and which it blocked and tagged as compromised.

Having got Syncthing from here and after running the .exe file through virustotal I know it is clean and have added an exception in Malwarebytes.

However, as regards the IP addresses, I did a brief search on here and saw some talk about relays which I’m not familiar with but couldn’t see any links to any articles which would help my decide if it’s safe for me to add these IP addresses as exceptions in Malwarebytes or not.

Despite the issue my database is syncing perfectly fine but I would appreciate some advice please as to what to do to get rid of these detection warnings from Malwarebytes.

Step 1: get rid of Malwarebytes

On a more serious note, the IP addresses are probably flagged by Malwarebytes because those servers are not only hosting a Syncthing relay but also operate as Tor nodes.


Thanks for your reply.

As a home PC user my technical knowledge only goes so far but from what you’re saying Syncthing shares relay servers that also host Tor nodes. If that’s the case my next question would be whether Syncthing checks out which servers can be trusted.

I’m not about to stop using Malwarebytes and dismantling the security setup I use to stay safe online but I also want to prevent the detection warnings. If these server IP’s have been tested as safe I can whitelist them but if you’re choosing untested random nodes then to me that implies I’m likely to get a lot more of these detection warnings.

I just want to know if I can safely whitelist your relays or not.

One doesn’t really test IPs, it’s quite meaningless. To say it in a very simplified manner; many services can run behind a single IP-address in many different ways and it doesn’t have to be linked to the same user. There’s also no [one server/service]:[one ip] link.

As stated in the linked FAQ:

Relay servers are run by volunteers all over the world.

In practise, anyone can run a Syncthing Relay server. Whether they, or others, run something else behind one of those used IPs is not really relevant nor an indication of anything really.

Whether you should whitelist those? Probably not. But I can’t say that I agree with Malwarebytes to blacklist entire IPs based on some historical usage of one…

See also what Malwarebytes self thinks about it; The pitfalls of blocking IP addresses (


Thank you again for that reply. I’ve got no real knowledge of these kind of open source shared networking platforms so I apologise if I seem a bit hopeless when it comes to this kind of thing.

As I’ve already whitelisted the Syncthing exe file that should help so I think I’ll just keep a note of any IP’s that get picked up and that’ll give me time to think about what to do next.

The app itself is working great though so thank you to the developers for such a useful and free program.


We should also note that the list of active relays can change quite frequently (a new relay can be spun up by anyone at any time), so a static IP address allowlist may be troublesome.

Sync connections over relays are still end-to-end encrypted (see the links from the second reply), so there’s no real difference in terms of attacker model. They’re neither less nor more secure than direct, non-relayed connections.

If you wish, you can turn off relays (Actions -> Settings -> Connections -> "Enable Relaying"). With relaying disabled, you have less connecitivity options (either two nodes can establish a direct connection, or no connection will be established between them at all). On the other hand, you won’t see syncthing connecting to random IPs anymore*.

*There’s still some chatter to discovery servers, local discovery, STUN and/or usage reporting servers, depending on your configuration. These IP addresses are less likely to trigger security monitoring tools however, since they usually have a better reputation.

1 Like

Thanks again. That’s certainly useful to know.

As the program is still so new to me I think for the time being I’ll just have a look at that in the settings but I think it’s better that I leave things alone and give myself more time to watch how it’s all working and familiarise myself more with the program and then decide on any changes.

I’m only guessing but this happened after I turned on my PC so possibly before it had time to finish booting and connect directly with my phone Syncthing tried using these 2 relays which turned out to be dubious. Now that I’ve whitelisted the EXE file the warnings will probably stop now anyway.

Having googled both IP’s they have been reported plenty of times in the past for spam activity but since no-one was trying to actually break into my own system I probably don’t need to worry too much. I can always turn relays off if they persist.

Thank you all for your help.

Having whitelisted the EXE file the warnings about the relay servers have stopped of their own accord without me needing to whitelist them so, like you, I haven’t done so.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.