[German]A few hours ago, the Tor browser received a security update that closed a vulnerability. Now Microsoft Defender in the form of Windows Security triggers an alert when the Tor browser is called up and quarantines the tor.exe file. It warns about a "Trojan:Win32/Malgent!MTB".
Advertising
Patrick alerted me to this via email (thanks for that) and wrote "tor.exe" (Tor Browser) is detected by Microsoft's Windows Security today, 2023-09-30 as "Trojan:Win32/Malgent!MTB". It uses the following version:
Tor Browser 12.5.5
File: tor.exe (7.804.416 Bytes)
SHA256: 3807d96998a15aed25ec9a95c3183385c6c73f6dde811ef2452c30f5f7df2810
I immediately checked my Tor installation on a German Windows 10 and indeed got an alert via Toast notification (see above) and in Windows Security the following display.
Advertising
Patrick then uploaded the file times on Virus Total and writes that currently 3 virus scanners detect a Trojan. When I called the virustotal page in question, there were already four scanners that hit.
The status of the Windows virus signatures at scan is: 1.397.1801.0 and 1.397.1814.0 (2023-09-30 06:13).
Patrick then downloaded again from www.torproject.org from the archive and checked the PGP signatures as well. The file "tor.exe" has the same 256 checksum and the updated virus signatures still give the security message rated as "severe" in Windows 10. The analysis page at Virus Total for the uploaded tor.exe file kept updating today, Patrick writes.
Blog reader Stefan also just got in touch by mail and writes:
Hello Günter,
just updated Tor Browser and Windows Defender detects Tor.exe as trojan and quarantines it. I suspect a false positive.
He also gave me a link to reddit.com, where you can also find a user comment. Other users confirm this observation. This means that a lot of people cannot currently run Tor Bundle or have to define an exception if it is a false positive.
There is a second reddit.com post on the subject where someone wrote that re-downloading and installing the Tor bundle stopped the false alarm for them. My attempt to reinstall an old installer of Tor did work and the Tor started again. However, after the auto-update, Defender again triggers an alert and moved the tor.exe to quarantine. Currently I will pause the Tor until the issue is resolved.
It seems this may be caused by Tor's introduction of proof-of-work as a deterrent for DOS attacks: Introducing Proof-of-Work Defense for Onion Services
See reddit.com: Detected Trojan:Win32/Malgent!MTB by Windows defender. What should I do?
It seems that a new Defender definition file solved the issue.
Updated Windows security 2023-10-01 11:14 to Security intelligence version: 1.397.1873.0 on Windows 11
Tor:12.5.6 (based on Mozilla Firefox 102.15.1esr) (64-bit)
Scanned Tor folder: Nor current threats.
And the alert is gone.
Was using Tor daily in last week with this new PoW service build on obfs4 bridge withouts issues. But as of today with latest build update something triggered malware alert only when streaming an odd embedded video on a common website. I wonder if this tor PoW detects streaming now as a potential DDOS attack and activates.
TOR does not work now. Even a reinstall did not work. MS Defender has flagged a Trojan. Not sure what is happening. But no TOR for two days.
Happened to me as well
Microsoft…*rolls eyes**
Obviously false positive…defined an exception..moved on….nothing to see here ;)
Just loaded Alpha Release from Tor website.
When asked, installed into existing directory.
No more Defender alerts.
Appears to be working fine.
After a few days will go back to standard release and see if issue has been resolved.
Thank you so much. The Alpha version works for me too.
Don't know if anything has been done, but I went into Defender and added the TOR download file.
ONLY AFTER doing that I was able to open the file and reinstall TOR.