Hi Roy-Blaker,
Believe it or not, your issue sounds like the exact problem I was having which led me to discover Glasswire back in November of 2017.
The problem that I was having is that I was on a metered mobile data service from my ISP (from memory it was 30GB which I had to use within six months) and as I was careful in my data usage (I had no need for videos, gaming or anything data hungry), I knew that amount of data back then would have lasted me at least three months.
Anyway, every now and again (the times were random) something would just eat about 10GB of my data allowance and I could never account for what had happened as I was always so careful with my bandwidth, disconnecting when not using it and so on.
In Australia mobile data was (and is still) quite expensive so that 30GB back then cost me about AUD$125 (about USD$100 approx) and because I was using the mobile connection mainly for financial news and data, these 10GB bites out of my plans was costing me about AUD$35 each time it happened and I went from annoyed to furious as it kept recurring.
I raised a support request with my ISP at the time (Vodafone) who could not determine what was consuming the bandwidth, so I pushed the envelope with them and asked them to do a full forensic investigation of all usage on my connection to find out if the problem was leakage on their end as I knew it was nothing I was actively doing. I could even isolate the exact times when these 10GB chunks were being used (the amounts were in fact random, but almost always around 10GB or more; 9.8GB one day, 11.2GB the next time, 10.56GB and so on, but basically it was always around the 10GB amount).
Well, to their credit Vodafone did indeed perform a forensic investigation into my data usage and although they were limited in what they could reveal to me by privacy laws (Australia has quite strict privacy laws), they did tell me in no uncertain terms that there was no problem with the ISP service and that it was a program installed on my PC that was using these 10GB chunks (but they could not reveal the name of the program).
This forced the issue back on me and I started looking around for a forensic grade packet sniffer to try to help me identify all traffic into and out of my laptop, I knew of no other way to isolate the program, app or process that was using the data as the amount was way above my normal usage.
That’s when thankfully I found Glasswire and I watched the data usage like a hawk to find out what was eating the 10GB intermittently and I eventually found it was - and I am 100% certain of this - SurfEasyVPN.
The SurfEasyVPN program uses a file called “openvpn” or “openvpn64” and it was one of these that was eating the 10GB intermittently (I think I was on a 64bit OS at the time, so I assume it was ‘openvpn64’). I checked my pc thoroughly and the only files which had the openvpn belonged to SurfEasy, so I was sure I had isolated the problem.
I contacted SurfEasy support and they basically denied that what I was describing could actually happen, but that just made it easy for me to uninstall their program and discontinue my subscription with them.
I kept looking around for another VPN that did not use some version of ‘openvpn’ in their program as I knew that it was likely that the exact same thing would happen again with another VPN using that same file. I couldn’t really find anything, it seems many of the better known commercially available VPNs use openvpn, so I just resolved to just to use Tor in the meantime.
And now it’s time for the happy ending, as soon as I stopped using SurfEasyVPN / openvpn the problem stopped and I never had a chunk of 10GB get eaten again.
I rationalized it to myself that in some way the openvpn program would share traffic around their various users to randomize the web traffic and that these 10GB bites were randomized traffic going through my machine and utilising my bandwidth.
Anyway, that’s what happened to me and that’s how it played out. Big thanks to Glasswire who ended the grief by allowing me to analyze my traffic and pinpoint that it was openvpn64 program that was using the bandwidth.
Very best of luck with your investigations, I hope you isolate the problem soon.