{"id":31838,"date":"2023-09-30T16:51:05","date_gmt":"2023-09-30T14:51:05","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=31838"},"modified":"2023-10-01T22:34:49","modified_gmt":"2023-10-01T20:34:49","slug":"tor-exe-microsoft-defender-triggers-an-trojanwin32-malgentmtb-alert","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/09\/30\/tor-exe-microsoft-defender-triggers-an-trojanwin32-malgentmtb-alert\/","title":{"rendered":"Tor.exe: Microsoft Defender triggers an \"Trojan:Win32\/Malgent!MTB\" alert"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2023\/09\/30\/microsoft-defender-lst-bei-tor-exe-warnung-vor-trojanwin32-malgentmtb-aus\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]A few hours ago, the Tor browser received a security update that closed a vulnerability. Now Microsoft Defender in the form of Windows Security triggers an alert when the Tor browser is called up and quarantines the tor.exe file. It warns about a \"Trojan:Win32\/Malgent!MTB\".<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg01.met.vgwort.de\/na\/519c95e4119040518e04d0a21c12fdb6\" alt=\"\" width=\"1\" height=\"1\" \/>Patrick alerted me to this via email (thanks for that) and wrote \"tor.exe\" (Tor Browser) is detected by Microsoft's Windows Security today, 2023-09-30 as \"Trojan:Win32\/Malgent!MTB\". It uses the following version:<\/p>\n<p>Tor Browser 12.5.5<br \/>\nFile: tor.exe (7.804.416 Bytes)<br \/>\nSHA256: 3807d96998a15aed25ec9a95c3183385c6c73f6dde811ef2452c30f5f7df2810<\/p>\n<p><img decoding=\"async\" title=\"Defender alert for tor\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2023\/09\/Defender-Tor01.jpg\" alt=\"Defender alert for tor\" \/><\/p>\n<p>I immediately checked my Tor installation on a German Windows 10 and indeed got an alert via Toast notification (see above) and in Windows Security the following display.<\/p>\n<p><img decoding=\"async\" title=\"tor.exe: Defender warns about &quot;Trojan:Win32\/Malgent!MTB&quot; aus\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2023\/09\/Defender-Tor.jpg\" alt=\"tor.exe: Defender warns about &quot;Trojan:Win32\/Malgent!MTB&quot; aus\" \/><\/p>\n<p>Patrick then uploaded the file times on Virus Total and writes that currently 3 virus scanners detect a Trojan. When I called the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/3807d96998a15aed25ec9a95c3183385c6c73f6dde811ef2452c30f5f7df2810\" target=\"_blank\" rel=\"noopener\">virustotal page<\/a> in question, there were already four scanners that hit.<\/p>\n<p><a href=\"https:\/\/www.virustotal.com\/gui\/file\/3807d96998a15aed25ec9a95c3183385c6c73f6dde811ef2452c30f5f7df2810\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"tor.exe: at virustotal\" src=\"https:\/\/i.postimg.cc\/XJkXRv9p\/image.png\" alt=\"tor.exe: at virustotal\" \/><\/a><\/p>\n<p>The status of the Windows virus signatures at scan is: 1.397.1801.0 and 1.397.1814.0 (2023-09-30 06:13).<\/p>\n<p>Patrick then downloaded again from <a href=\"https:\/\/archive.torproject.org\/tor-package-archive\/torbrowser\" target=\"_blank\" rel=\"noopener\">www.torproject.org<\/a> from the archive and checked the PGP signatures as well. The file \"tor.exe\" has the same 256 checksum and the updated virus signatures still give the security message rated as \"severe\" in Windows 10. The analysis page at Virus Total for the uploaded tor.exe file kept updating today, Patrick writes.<\/p>\n<p>Blog reader Stefan also just got in touch by mail and writes:<\/p>\n<blockquote><p>Hello G\u00fcnter,<\/p>\n<p>just updated Tor Browser and Windows Defender detects Tor.exe as trojan and quarantines it. I suspect a false positive.<\/p><\/blockquote>\n<p>He also gave me a link <a href=\"https:\/\/www.reddit.com\/r\/TOR\/comments\/16w2v3e\/detected_trojanwin32malgentmtb_by_windows\/\" target=\"_blank\" rel=\"noopener\">to reddit.com<\/a>, where you can also find a user comment. Other users confirm this observation. This means that a lot of people cannot currently run Tor Bundle or have to define an exception if it is a false positive.<\/p>\n<p>There is a second <a href=\"https:\/\/www.reddit.com\/r\/TOR\/comments\/16w1ef9\/unable_to_establish_a_connection_to_tor\/\" target=\"_blank\" rel=\"noopener\">reddit.com post<\/a> on the subject where someone wrote that re-downloading and installing the Tor bundle stopped the false alarm for them. My attempt to reinstall an old installer of Tor did work and the Tor started again. However, after the auto-update, Defender again triggers an alert and moved the tor.exe to quarantine. Currently I will pause the Tor until the issue is resolved.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A few hours ago, the Tor browser received a security update that closed a vulnerability. Now Microsoft Defender in the form of Windows Security triggers an alert when the Tor browser is called up and quarantines the tor.exe file. It &hellip; <a href=\"https:\/\/borncity.com\/win\/2023\/09\/30\/tor-exe-microsoft-defender-triggers-an-trojanwin32-malgentmtb-alert\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[773,69,529],"class_list":["post-31838","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-defender","tag-security","tag-tor"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/31838","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=31838"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/31838\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=31838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=31838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=31838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}