AirVPN useless for work environment due to red flags caused by VirusTotal

[Riddick 10]

Hi all,
Not so recently I was reprimanded by the cyber security division at work, it seems that the majority AirVPN IPs (running via VPN router by the way) are flagged as malicious or even as suspicious by security vendors that I never heard of ?  
I am sure that these are false positives/negatives caused by the virus software scan engine protection (I was surprised that they have implemented Virustotal API to scan IPs as well in the background) but still I would prefer to stay somehow anonymous (as in they don't need to know my real IP) on a personal and or work environment level!

Any suggestions?
My VPN router also supports Wireguard protocol are there any AirVPN servers that are not flagged as malicious/suspicious by Virustotal, or is it matter of time until these get flagged as well.
Thanks.

Below some examples of AirVPN IPs reported as malicious by VirusTotal: 
Virustotal Link 1 
Virustotal Link 2
Virustotal Link 3
Virustotal Link 4

 

[OpenSourcerer 1360]

3 hours ago, Riddick said:

I am sure that these are false positives/negatives caused by the virus software scan engine protection

Nah, they've got a point. Behind these IPs there might be people who are hosting malware and such, so IPs being flagged are a normal occurence.

I'm more astounded you're not listening when you're being chastised. They're doing their job trying to protect the company, yet here you are piling on work for them for such a petty reason. If I were ITsec in your company, I'd restrict you by any means necessary to prevent you from turning your computer into the perfect attack vector.
Unless, of course, you hate your company and the people working there, then go ahead.

[Staff 9761]

10 hours ago, OpenSourcerer said:

Nah, they've got a point. Behind these IPs there might be people who are hosting malware and such, so IPs being flagged are a normal occurence.

Hello!

Oh no, absolutely not, a clarification is due here. The VPN connection is performed to entry-IP addresses which never send out packets to the Internet except to the clients of the VPN itself. And actually entry-IP addresses of our servers are clean, they are not included in any decent black list, as you can verify (and it's blatantly obvious, as they are "isolated", nobody can make anything reachable behind an entry-IP address). If confirmed, this is a VirusTotal undue overblocking and/or false positive warning. Malwarebytes does something similar (for example, it blocks a whole /22 subnet when just one IP address inside that vast subnet is suspicious, according to recent reports).

Kind regards
 

[OpenSourcerer 1360]

… nah nah, you see, it's way easier for admins to block the whole range than individual IP addresses. The entries might be clean, but every server has got four different exits. Blocking one will leave the other three exits untouched through which the same cause for the block can be continued easily. If you want to differentiate between them, you'll be fed up with the third violation from a very similar IP address at the latest and just go on to block its /24 v4 or /64 v6 to spare you the time. One can call this overblocking, but the truth is, it does make it harder for abusers. This is a clear disadvantage when using VPNs, and we need to treat it like that instead of pointing fingers.

For example, I see this with login attempts to all the mail servers I manage: Blocking individual IPs is exceedingly time-consuming because the operators will simply use another one in a /24 v4 or from the same data center.

Also, one can assume ITsec knows of this overblocking, and maybe the IP config of AirVPN's servers, so they see it as a means to kill two birds with one stone: Block connections to these IP addresses to avoid contacting malware hosting or what have you, and also prevent connections to VPN services.

[Staff 9761]

2 hours ago, OpenSourcerer said:

The entries might be clean, but every server has got four different exits.

Hello!

Each Air VPN server has one exit IPv4 address and one exit IPv6 address. They are not exchanged with entry-IP addresses not to wreak havoc to customers having configuration files and to those white listing exit IP addresses to access via VPN their own services on the Internet.
 

Quote

Blocking individual IPs is exceedingly time-consuming because the operators will simply use another one in a /24 v4 or from the same data center.

Blocking a specific IP address if verified evidence of abuses is gathered is the behavior of all the serious black lists around without exceptions. Over-blocking is the inept behavior which sooner or later leads to disasters. For example when Malwarebytes blocked all Google and YouTube and entire AS hosting hundreds or thousands of perfectly safe web sites.

Kind regards
 

[OpenSourcerer 1360]

2 minutes ago, Staff said:

Each Air VPN server has one exit IPv4 address and one exit IPv6 address. They are not exchanged with entry-IP addresses not to wreak havoc to customers having configuration files and to those white listing exit IP addresses to access via VPN to their own services on the Internet.

Aaaah I mixed those up. You're right. 🤦‍♂️ Enough internet for today, I guess.

[GaryUnwin 7]

Maybe, you should connect to AirVPN through wireguard server on your home computer or a VPS.

Make sure you don't nest wireguard in wireguard. You could route packets between two wireguard interfaces. Routing between two wireguard interfaces doesn't nest wireguard inside wireguard.

Proton VPN has a feature named alternative routing which offers different entry points for people behind a restrictive firewall that prohibits connecting to VPN entry points.

https://proton.me/blog/anti-censorship-alternative-routing