Tor.exe: Microsoft Defender triggers an "Trojan:Win32/Malgent!MTB" alert

Gandalf_The_Grey

Level 78
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,766
A few hours ago, the Tor browser received a security update that closed a vulnerability. Now Microsoft Defender in the form of Windows Security triggers an alert when the Tor browser is called up and quarantines the tor.exe file. It warns about a "Trojan:Win32/Malgent!MTB".

Patrick alerted me to this via email (thanks for that) and wrote "tor.exe" (Tor Browser) is detected by Microsoft's Windows Security today, 2023-09-30 as "Trojan:Win32/Malgent!MTB". It uses the following version:

Tor Browser 12.5.5
File: tor.exe (7.804.416 Bytes)
SHA256: 3807d96998a15aed25ec9a95c3183385c6c73f6dde811ef2452c30f5f7df2810

Patrick then uploaded the file times on Virus Total and writes that currently 3 virus scanners detect a Trojan. When I called the virustotal page in question, there were already four scanners that hit.
Currently I will pause the Tor until the issue is resolved.
 

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,671
It's easy to report false positives to Microsoft and they fix things within 12 hours or less (in my experience).
 

SpyNetGirl

Level 3
Well-known
Jan 30, 2023
113
It's easy to report false positives to Microsoft and they fix things within 12 hours or less (in my experience).

Are you 100% sure it's false positive? (matching hashes with the website doesn't count)
Normally I run it in Windows Sandbox because it uses old firefox. In general I don't trust unsigned software.
 

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,671
Are you 100% sure it's false positive? (matching hashes with the website doesn't count)
Normally I run it in Windows Sandbox because it uses old firefox. In general I don't trust unsigned software.
I'm not 100% sure of course but I just checked and can confirm that the hash is the same. You have to install it and then look for tor.exe in the folder, eg: ****Tor Browser\Browser\TorBrowser\Tor\tor.exe.
Submitting to Microsoft is the easiest way to verify whether it's a false positive or correct detection. If FP, they'll remove the detection and if not, the detection will stay.
I've submitted it to Microsoft just now.
 

vtqhtr413

Level 26
Well-known
Aug 17, 2017
1,574
I followed a link to a product page on Amazon this morning and there was no issue but when I tried to go to Amazon's home page, Defender stopped it and warned it was an insecure site :love: a clash of titans, it did give the option to ignore and proceed. Need to let the dust settle on this, it will work itself out.
 
Last edited:

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,070
2.jpgSin título.png

Not worried here.:)

 

Gandalf_The_Grey

Level 78
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,766
Microsoft Defender no longer flags Tor Browser as malware
Recent versions of the TorBrowser, specifically because of the updated tor.exe file it contained, were being incorrectly flagged as potential threats by Windows Defender.

Users were alerted to a possible trojan, causing a bit of a stir in the community, but this was a case of false positives.

TorBrowser has an update on this matter. After contacting Microsoft about the issue, TorBrowser received a definitive response.

Microsoft stated, "We've reviewed the submitted files and have determined that they do not fit our definitions of malware or unwanted applications. As such, we've removed the detection."

For users who still see this false positive, Microsoft provided a clear set of instructions to update and clear any previous flags:
  1. Open the command prompt as an administrator.
  2. Navigate to c:\Program Files\Windows Defender.
  3. Run the command “MpCmdRun.exe -removedefinitions -dynamicsignatures”.
  4. Follow it with “MpCmdRun.exe -SignatureUpdate”.
For those who prefer manual updates, Microsoft has made the latest definitions available here.

Similar warnings were also spotted in Virus Total, which relies on third-party security vendors to scan uploaded files.

Some users noted that a preliminary VirusTotal.com check might have prevented this oversight, expressing dismay that such a standard safety measure was apparently overlooked.

A frustrated user remarked, "It's concerning that a release made it to the public without a prior VirusTotal.com check. For an entire weekend, users were left grappling with doubts. Henceforth, every release should be paired with a VirusTotal review. This way, anyone downloading the software can personally ensure no virus detection flags it—at least not at the launch."
 

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,356
I rather think that the detection caused by Microsoft's AI was done because some botnets are hijacking Tor because their C&C servers are in .onion....
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top