toru
Microsoft has flagged tor.exe of Tor Browser 13.0.10 as Trojan: Wacatac.B!ml. Hope your party notice that.
Microsoft has flagged tor.exe of Tor Browser 13.0.10 as Trojan: Wacatac.B!ml. Hope your party notice that.
Yes, I remember that from last year.
Just to be clear, the scan I refer to above was done on a a copy of tor.exe which is on my machine which has Norton. It was also NOT flagged by Norton.
The scan was done on a machine which is win10 only (NO Norton).
I just updated Tor on that machine from 13.0.9 to 13.0.10 and Windows security did not flag anything. I even went to the folder and did a specific scan of tor.exe. Nothing.
Here are the checksums for that file:
Name: tor.exe
Size: 8976896 bytes (8766 KiB)
CRC32: 91726039
CRC64: BE0E610C6ACC8DFD
SHA256: 33049016dd8985e97e69d89cad74b59b06488310c0be86d0f83b10ee096b7875
SHA1: ba64b4b7134d9ccda5cdd3624cdc898e3778fb7f
BLAKE2sp: 1b9bd8ab24a1ad8aa221723bb194b124073c9f283b78d463cc310a00be3145e7
When I say “Windows security” I mean whatever comes with the vanilla OS
2 replies
That would be “Windows Defender”.
So there it is. I should expect that all versions of tor.exe for 13.0.10 to have the same fingerprint. Am I correct or are there different versions of 13.0.10?
Can anyone else confirm this? Can anyone else post a sha256.
I’m going to download a fresh install package of Tor and post.
Have no clue what is meant by this.
EDITED:
OK! I downloaded tor-browser-windows-x86_64-portable-13.0.10.exe and tor-browser-windows-x86_64-portable-13.0.10.exe.asc . Verified the signature.
On that Win10 only machine I deleted the Tor directory from the desktop which eliminated any traces of Tor which was there.
Did the install and scanned tor.exe with Windows Defender. Nothing
The checksums are the same as my original post.
SO…
Some artificial intelligence told me:
The SHA256 checksum 99FF9BF16318ED3C90500DFC1DEB33A6F3E9B75816BA2AF342FD06D349E9A1A4 (yours) corresponds to a piece of malicious software classified as a cryptocurrency miner. Specifically, it is designed to generate Ethereum (ETH) and Ethereum Classic (ETC) cryptocurrencies. This malware can significantly decrease system performance and pose a risk to device integrity.
Cynet still considers my SHA256 uploaded tor.exe as malicious. Out of 72 vendors they are the only one. Guess they are full of …
1 reply
It seems the answer to this is because that tor.exe is the 32 bit version of Tor from tor-browser-windows-i686-portable-13.0.10.exe
I get the exact checksums as TORU but Windows Defender does not flag it and neither does Norton.
So ignore the quote from that “artificial intellegence”. It’s BS.
And to answer my question above: Yes, there are different versions of tor.exe 13.0.10
1 reply
My last reply didn’t get approval since I attached my tor.exe. So I rewrite it below:
"I did the same thing (deleted and reinstalled), then the SHA1 & SHA256 of my tor.exe are the same as yours, and fortunately, no warning anymore.
Obviously, I have zero clue why the update could automatically transform my tor.exe into a ‘cryptocurrency miner’, so I uploaded it for anyone who wants to take a look:"
Thank BobbyB for your detailed information. I admit that it’s highly likely my deleted Tor was 32 bit.
This is a good resolution for you.
The only thing I can think of is that you always had a 32-bit version of the Tor browser bundle. You have to dig a bit now to get the 32-bit version.
You can search Virustotal by hash with your SHA256 hash. I just did and told it to re-analyse its tor.exe again: (25-Feb-2024 10:27 UTC-5). Same results.
I have an idea for those vendors you see on Virustotal but this is not the place. So I can only conclude that the whole thing was a false positive.
It does feel funny to be censored on a Tor Forum. Seems we are all in jail which does make it hard to get to a conclusion of a topic when you need to wait up to a day for approval. They could have just removed the upload pragmatically.