Anti-virus (Avast, AVG) report issue with ip-api.com

My Anti-Virus intercepts a threat each time I execute Quicken. I have run several scans but nothing has been removed and the problem is persistent, as follows:

"We have safely aborted connection on ip-api.com because it was infected with URL: Blacklist.

(http://ip-api.com/xml//)

Anybody recognize this?

Best Answers

  • Quicken KathrynQuicken Kathryn ✭✭✭✭
    Accepted Answer
    Hi All,
    This issue should now be resolved--thanks, all, for your patience!
«1

Answers

  • Avast has blacklisted ip-api.com.  When Quicken started Avast blocked the connection.  Both Quicken and Avast have the latest updates.  Windows also has the latest updates.

    When starting quicken is it normal to connect to that URL?   Is this new with Quicken?  Has IP-API been recently blacklisted or is it an attack site?  Has Quicken been infected?

      
  • I experienced the same problem this morning using AVG. This has never happened before. I have submitted this AVG, but waiting for a response.
  • Same problem here with Avast. Just started happening this morning (3-2-2019) and I use Quicken everyday. Google search doesn't come up with anything. Quicken seemed to run fine, One Step Update, etc, but more info would be appreciated. Maybe a false positive by Avast (which also owns AVG)? Hopefully, Quicken is not infected somehow.
  • With my Linux PC with no firewall or anti-virus I went to the URL and received the XML below.  The coordinates are not my house, but a park, a few miles from me.  The response shows my location and ISP.  Quicken could want it for marketing or the government/police could want it for financial investigations.  I don't think it is true malware.  The IP-API.com site was most likely blocked for privacy concerns.  

    <?xml version="1.0" encoding="UTF-8"?>
    <query>
    <status><![CDATA[success]]></status>
    <country><![CDATA[United States]]></country>
    <countryCode><![CDATA[US]]></countryCode>
    <region><![CDATA[KS]]></region>
    <regionName><![CDATA[Kansas]]></regionName>
    <city><![CDATA[Overland Park]]></city>
    <zip><![CDATA[66212]]></zip>
    <lat><![CDATA[38.9507]]></lat>
    <lon><![CDATA[-94.6824]]></lon>
    <timezone><![CDATA[America/Chicago]]></timezone>
    <isp><![CDATA[Google Fiber Inc.]]></isp>
    <org><![CDATA[Google Fiber Inc]]></org>
    <as><![CDATA[AS16591 Google Fiber Inc.]]></as>
    <query><![CDATA[0.0.0.0]]></query>
    </query>

  • stuartbrucestuartbruce Member
    edited March 2019
    Getting same error message from AVG. See screenshot.
  • Yes, that sounds right. I looked up ip-api.com and it's a site that provides the location info on a given ip address. Not sure why Quicken would be using the site, not sure why they need my ip address info? I have used Quicken while traveling in the US and Europe and this is the first time this has occurred. Hopefully someone from Quicken if they monitor this community will explain.
  • rwmolrwmol Member ✭✭
    Same thing here.
  • rwmolrwmol Member ✭✭
    I added an exception to AVG and the warning is now gone.
  • How do you add in the exception?
  • rwmolrwmol Member ✭✭
    Open AVG. At the top right, click on Menu. Click on Settings. Click on Exceptions. Click on Urls, In the blank field below, enter  http://ip-api.com/xml/. Click OK

  • Adding an exception works to remove the warning but the real question is why is Quicken going there and/or why is Avast/AVG flagging it? A real threat or just a false positive? I can't find anything on Goggle to say whether ip-api.com is legit or not.
  • I am also using Avast Premium, which I have for years.
  • splashersplasher SuperUser ✭✭✭✭✭
    Sounds like Avast is generating a false positive since only Avast is reporting this.  Norton is definitely not reporting it.
    -splasher  using Q since 1996 -  QW 2017 & Subscription  -  Win10
    -Questions? Check out the  Quicken Windows FAQ list

  • rwmolrwmol Member ✭✭
    Dear Quicken:  I have to ask the question of why you are publishing software which activates your users' anti-virus software?  I would hope that your QA people have anti-virus software on their test machines and would have run into this before it was released.
    My exact thoughts.
  • rwmolrwmol Member ✭✭
    1. IP-API.com - Geolocation API - Documentation

      ip-api.com/docs

      Overview. This documentation is intended for developers who want to write applications that can query IP-API. To perform a query, you need to send a request, specifying a data format and some optional arguments, and will receive a formatted response.


  • Mike PetersonMike Peterson Member
    edited March 2019
    Maybe related?

    I checked a few of the logs and saw this in the cloud services one.  Happens after opening file and before providing credentials to update any accounts. 

    ################### Saturday, March 2, 2019, 14:39:10 #####################
    ERROR:Exception in trying to get user region The underlying connection was closed: An unexpected error occurred on a receive.

    I've been away for a few days so not sure when it started but I first noticed it today (2-Mar-2019)
  • Same problem with Quicken this morning - Avast blocks ip-api.com. The site looks safe enough, but  I can't think of any legitimate reason Quicken wants to know where I am (especially without asking my permission).
  • Rocket J SquirrelRocket J Squirrel SuperUser ✭✭✭✭✭
    If somebody halfway around the world runs Quicken using my Quicken ID, I’d want to know about it.
    Quicken user since version 2 for DOS, now using QWin Premier Subscription on Win10 Pro.
  • I am getting the same warning from Avast.


  • Dan GlynhamptonDan Glynhampton SuperUser ✭✭✭✭✭
    Dear Quicken:  I have to ask the question of why you are publishing software which activates your users' anti-virus software?  I would hope that your QA people have anti-virus software on their test machines and would have run into this before it was released.
    I trust you also been in touch with Avast/AVG and asked them why they are publishing updates to their definitions which prevent your legitimate software on your computer from operating correctly? Don’t AVG test any of this stuff before they release it?
    US Quicken Deluxe for Windows 2020 R25.10 on Windows 10 Pro v1909
  • jl747jl747 SuperUser ✭✭✭✭✭
    Here are 2 posts from AVG and Avast about the False Positive (FP).

    Avast
    There is a link in the above post to report a FP.

    AVG

    Hope this helps



    Quicken Windows Deluxe (Subscription)
    Windows 10 Pro 1903
  • morezanmorezan Member
    Same issue here since 2-27-2019. I'm not making an exception for this. If Quicken needs to know my location every time I use my PAID subscription it means they are modeling new ways to charge us even more in the future. Are subscription rates going to be tiered based on your zip code or how often you travel outside of it?
  • slb0224slb0224 Member ✭✭
    Same issue here. I reported a possible FP to Avast.
  • drh27410drh27410 Member
    Same issue with my Quicken Deluxe 2019 and Avast on my Windows10 laptop (latest 64-bit software).   Any response from Quicken or Avast on this issue?
  • Greg_the_GeekGreg_the_Geek SuperUser ✭✭✭✭✭
    Did you click on the link in jl747's post?
    Quicken 2017 H&B - Windows 10
  • Hi -  I've encountered the same issue of the blocked URL ip-api.com with Avast AV.  I reported it to Avast as a false positive.  In the mean time, I created an exception in Avast by doing this:  
    Click "Menu"
    Click "Settings"
    Click "Exceptions"
    Click "Add Exception"
    Type in "http://ip-api.com" (without the quotes)
    Click "Add Exception"
    Close Avast & try Quicken again.  Works fine for me.
  • Each time I open Quicken now, I get this message from my antivirus program: "Threat Secured. We have aborted connection on ip-api.com because it was infected with URL: Blacklist. Quicken\qw.exe."  Any thoughts?
  • Thank you very much. I will load an exception in AVG to stop the annoyance. 
  • dave1dave1 Member
    AVG "safely aborted connection on ip-api.com because it was infected with URL:Blacklist"   from C:\Program Files(x86)\Quicken\qw.exe
    I wouldn'e expect Quicken to make a url call to a blacklisted ip address.
    This happens every time a start Quicken.
    Anyone knows what I can do about this?  Besides not starting Quicken on a Windows 7.0 machine
This discussion has been closed.