Something very curious has happened. Last week, as soon as it turned available, I updated to v.14.5.1 from the Settings window. I also downloaded the .dmg file for archiving from the Tor Project’s website.
This Sunday, however, a scheduled malware scan on the Applications folder dumped the Tor Browser in the Quarantine folder:
I downloaded the 14.5.1 dmg over again, as always from the Tor Project’s site. Comparing it with the archived dmg it turned out that both the created and the modified dates were different, and that the file sizes differed by some kb. I then erased the allegedly infected version and re-installed the Tor from the newly downloaded file. After this, a new malware scan of the whole device showed nothing of concern.
What does all this mean? I haven’t found a single mention of this event anywhere, and descriptions of this Trojan.OSX.Agent are so vague, in my unexperienced eyes (this infection is a first in several decades of working with computers), that I can’t figure out if it could have committed anything or left traces of itself or not. However, I found that “conjure-client” is developed by Palantir, certainly not something that makes me feel comfortable in today’s world.
Thank you for your prompt response. However, I may not have explained things clearly enough.
I wouldn’t mind, as you suggest, checking the browser’s signature, but I don’t quite understand how this can be done if updating and installing all take place from within the browser itself. And I would expect this procedure to be sane and safe, coming (I suppose) from your own depository. So I still have to ask: how could the malware, if that’s what it was, get inserted in the update? And: what damage might it have caused in the course of that couple of days — like, say, expanding to other elements ín my system and applications?
Moreover, access wasn’t blocked at any moment. I did use this version for a couple of days. I assume that this update installation procedure bypassed the anti-malware application’s attention for files being downloaded. This malware was only detected upon running a routine scan some days after updating.
And, if I may repeat: it’s only one “version” of 14.5.1 that was detected and quarantined, not the different one that I downloaded again. Yet, I found no mention on the website of a first 14.5.1 in need of “repair” and the posting of a “fixed” 14.5.1 posted for download.
My use of Tor is limited to very few operations, and anyway my understanding of such matters is too limited (therefore my questions) to make it worth testing Conjure and Tor Browser Alpha. So the next question is: is it possible to disable Conjure?
If you downloaded Tor Browser from a trusted source – like our official website over HTTPS --, you’re likely fine. However, if you’d like to be sure, you can verify the digital signature of the binary by following this guide: How can I verify Tor Browser's signature? | Tor Project | Support.
Thank you very much. Now I understand a bit better, and I certainly will follow your indications. But I still don’t understand the differences between the two 14.5.1 fetched from your official site only a couple of days from each other.