I am new to Syncthing having only set it up yesterday to sync a database between my Win10PC and my android phone. I then created a startup shortcut in Windows so it will start every time I reboot.
When I restarted my PC Malwarebytes chucked out 4 different warnings. The first 2 warnings identified the syncthing.exe file as malware and the second 2 notifications related to suspicious websites - namely 18.104.22.168 and 22.214.171.124 which it blocked and tagged as compromised.
Having got Syncthing from here and after running the .exe file through virustotal I know it is clean and have added an exception in Malwarebytes.
However, as regards the IP addresses, I did a brief search on here and saw some talk about relays which I’m not familiar with but couldn’t see any links to any articles which would help my decide if it’s safe for me to add these IP addresses as exceptions in Malwarebytes or not.
Despite the issue my database is syncing perfectly fine but I would appreciate some advice please as to what to do to get rid of these detection warnings from Malwarebytes.
As a home PC user my technical knowledge only goes so far but from what you’re saying Syncthing shares relay servers that also host Tor nodes. If that’s the case my next question would be whether Syncthing checks out which servers can be trusted.
I’m not about to stop using Malwarebytes and dismantling the security setup I use to stay safe online but I also want to prevent the detection warnings. If these server IP’s have been tested as safe I can whitelist them but if you’re choosing untested random nodes then to me that implies I’m likely to get a lot more of these detection warnings.
I just want to know if I can safely whitelist your relays or not.
One doesn’t really test IPs, it’s quite meaningless. To say it in a very simplified manner; many services can run behind a single IP-address in many different ways and it doesn’t have to be linked to the same user. There’s also no [one server/service]:[one ip] link.
As stated in the linked FAQ:
Relay servers are run by volunteers all over the world.
In practise, anyone can run a Syncthing Relay server. Whether they, or others, run something else behind one of those used IPs is not really relevant nor an indication of anything really.
Whether you should whitelist those? Probably not. But I can’t say that I agree with Malwarebytes to blacklist entire IPs based on some historical usage of one…
We should also note that the list of active relays can change quite frequently (a new relay can be spun up by anyone at any time), so a static IP address allowlist may be troublesome.
Sync connections over relays are still end-to-end encrypted (see the links from the second reply), so there’s no real difference in terms of attacker model. They’re neither less nor more secure than direct, non-relayed connections.
If you wish, you can turn off relays (Actions -> Settings -> Connections -> "Enable Relaying"). With relaying disabled, you have less connecitivity options (either two nodes can establish a direct connection, or no connection will be established between them at all). On the other hand, you won’t see syncthing connecting to random IPs anymore*.
*There’s still some chatter to discovery servers, local discovery, STUN and/or usage reporting servers, depending on your configuration. These IP addresses are less likely to trigger security monitoring tools however, since they usually have a better reputation.
As the program is still so new to me I think for the time being I’ll just have a look at that in the settings but I think it’s better that I leave things alone and give myself more time to watch how it’s all working and familiarise myself more with the program and then decide on any changes.
I’m only guessing but this happened after I turned on my PC so possibly before it had time to finish booting and connect directly with my phone Syncthing tried using these 2 relays which turned out to be dubious. Now that I’ve whitelisted the EXE file the warnings will probably stop now anyway.
Having googled both IP’s they have been reported plenty of times in the past for spam activity but since no-one was trying to actually break into my own system I probably don’t need to worry too much. I can always turn relays off if they persist.