Malwarebytes is consistently reporting malvertising (malware/malicious advertising/phishing) for roon. Normally I would ignore it but even on looking at this superficially, roon.exe seems to be trying to make a connection to a very speciifc ip address that, when you look it up, has been reused across a ton of bad actors of one kind or another. My concern is this. Everytime roon starts up it calls home, nothing wrong with that but why is it calling to a seemingly unaffiliated IP? This looks like some kind of hosting service with a reused IP and if that is what it is then the roon team really needs to find another hosting service as this one is has so many bad associations that it is going to trigger alarms and alerts everywhere. This particular alert was picked up by malwarebytes and my unifi controller. If you look it up on google you get an entire list of sites that has used this IP, all bad or at minimum sketchy.
Malwarebytes
-Log Details-
Protection Event Date: 2/3/21
Protection Event Time: 3:03 PM
Log File: d95d8414-665a-11eb-80a4-50e549e9689d.json
-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1157
Update Package Version: 1.0.36675
License: Premium
-System Information-
OS: Windows 10 (Build 19041.746)
CPU: x64
File System: NTFS
User: System
-Blocked Website Details-
Malicious Website: 1
, C:\Users\nothingtoseemovealong\AppData\Local\Roon\Application\Roon.exe, Blocked, -1, -1, 0.0.0, ,
-Website Data-
Category: Malvertising
Domain: softbrotherbreak-9.live
IP Address: 5.189.217.46
Port: 9003
Type: Outbound
File: C:\Users\whyareyoulookinghere\AppData\Local\Roon\Application\Roon.exe
If I go back through the list of IPs used by roon.exe they all end up someplace sketchy. What gives?