Recent versions of the TorBrowser, specifically because of the updated tor.exe file it contained, were being incorrectly flagged as potential threats by Windows Defender.
Users were alerted to a possible trojan, causing a bit of a stir in the community, but this was a case of false positives.
TorBrowser has an update on this matter. After contacting Microsoft about the issue, TorBrowser received a definitive response.
Microsoft stated, "We've reviewed the submitted files and have determined that they do not fit our definitions of malware or unwanted applications. As such, we've removed the detection."
For users who still see this false positive, Microsoft provided a clear set of instructions to update and clear any previous flags:
- Open the command prompt as an administrator.
- Navigate to c:\Program Files\Windows Defender.
- Run the command “MpCmdRun.exe -removedefinitions -dynamicsignatures”.
- Follow it with “MpCmdRun.exe -SignatureUpdate”.
For those who prefer manual updates, Microsoft has made the latest definitions available here.
Similar warnings were also spotted in Virus Total, which relies on third-party security vendors to scan uploaded files.
Some users noted that a preliminary VirusTotal.com check might have prevented this oversight, expressing dismay that such a standard safety measure was apparently overlooked.
A frustrated user remarked, "It's concerning that a release made it to the public without a prior VirusTotal.com check. For an entire weekend, users were left grappling with doubts. Henceforth, every release should be paired with a VirusTotal review. This way, anyone downloading the software can personally ensure no virus detection flags it—at least not at the launch."
Responding to the criticisms, a representative from Tor highlighted some notable points.
- The tor.exe file in question from TorBrowser 12.5.6 isn't a new addition—it's byte-for-byte the same file used in the 12.5.5 version. Interestingly, no issues were reported when that version was launched. Some who found a workaround by downloading 12.5.5 likely downloaded the 32-bit variant, sidestepping the problem quite unintentionally.
-
Presently, Tor doesn't have a standing procedure for uploading files to VirusTotal before release.
Microsoft Defender is no longer flagging Tor Browser
As of the latest signature database (version 1.397.1910.0), Windows Defender no longer flags tor.exe as a trojan.
If you found your Tor Browser non-functional recently, here's what you can do:
- Ensure your Windows Defender is updated.
- Either retrieve tor.exe from quarantine or,
- Redownload the TorBrowser directly from the Tor Project website.
And as a safety reminder, it is recommended to verify the signature before installation.
Comments
beepboopboopbleeep - 8 months ago
Outstanding work by the Microsoft team
AreYouSure - 8 months ago
It's a little concerning when Microsoft blocks one of their competitors. Ironically Edge is more likely to be unsafe than Tor would be.
Shouldn't Microsoft be looking at binaries' signatures to inform malware blocking decisions? Maybe identify binaries whose hashes match trusted software makers' hashes and display more information about its source to end users? Download sites have been doing this for a long time, but somehow Microsoft manages to integrate all sorts of other services into Windows but not one that would create actual trust.