Yes, I’ve got that problem too.
Windows defender treats new version of tor.exe as troyan and deletes it.
Here is a screenshot:
@Dev guys, could you please look at that?
3 Likes
Yes, there is a problem with tor.exe (0.4.7.15) - Microsoft has flagged this as a Trojan (Win32/Malgent!MTB) and is mercilessly removing tor from both the service and the browser on their windows systems
The incident happened today
Results: VirusTotal
2 Likes
You’ve got a platform antivirus program removing a needed part to run Tor. I think it is in the project’s interest to get Microsoft to fix this if this truly isn’t a trojan. Otherwise, most Windows users wouldn’t want to (or even can’t) be running this version. The things that people do to get Tor to run now is to 1) reinstall the previous version and pause on update (maybe a dangerous activity for most people in itself) and 2) use Tor.exe from the previous release.
This could be a false positive, but it does effect most Windows users. OTH, if this is a true positive, nobody can evaluate it better than the project and Microsoft. 3CX supply-chain attack started off this way too.
1 Like
Im receiving the same results as well! Even not connecting to tor is a problem.
Same problem as above, after upgrading to 12.5.6, Windows 10 Defender reported a “Trojan:Win32/Malgent!MTB” on “…Tor Browser\Browser\TorBrowser\Tor\tor.exe”.
For now, I replaced the tor.exe with on older version of the exe file but the Tor Project should avoid such problem because novice user will likely panic because of such message (namely a Virus threat, especially when it is a false positive) which cannot be fixed by “normal” means.
I’m not sure what heuristics Windows Defender uses to determine a “Trojan:Win32/Malgent!MTB” but running an upgrade and being greeted with such threat message isn’t helpful for either the project nor the user.
I’m assuming that the 12.5.6 release doesn’t contain a Trojan:Win32/Malgent!MTB but an official verification about the non-existence would be much appreciated.
Is there any update regarding the Trojan issue? I would really like to get back to using the TOR Browser soon…waiting for a proper update.
Also, somehow the Mullvad Browser did not have a corresponding update and is still on 12.5.5. Seemed a bit out of place to me.
Looks like there will be Tor Browser 12.5.7 soon enough because they have discovered yet another vulnerability in libvpx (CVE-2023-44488). Looking at the commit log for libvpx, it’s an absolute mine field. I wonder if TB should just set “media.mediasource.vp9.enabled” to false for the time being.
3 Likes
Here is what I learnt when I had this type of problem with Norton.
This is for Windows and assumes a typical standard install onto the desktop.
First the whole Tor browser is just a drop-in folder onto the desktop.
Set the option to NOT auto-update but only give a notice.
When a notice comes in, copy the whole folder to somewhere else like a USB stick.
Do the update.
If your AV thinks it is a malware just delete the whole folder from the desktop then drop the backup folder back on to the desktop.
Problem solved.
1 Like
The most effective thing is: send the binary to the manufacturer of the antivirus software and write that it is recognized incorrectly.
This is how I do it with preinstalled Avast shit on my Android phone.
1 Like
Yes that is the ultimate solution unless the AV vendor deletes it. (Norton put it in a “quarantine” box.)
But in the meantime you are without Tor. My “trick” is an immediate solution while you wait for the green light from the AV.
Off topic: If Avast is such a shit why not replace it?
Easy fix:
Tor Browser 12.5.6 under Windows triggers firewall block
The solution is to go into Windows Firewall and disable the rule that blocks outbound Firefox connections.
Its certainly looking that way seeing as it has a severity score of 7.5/10 from the first analysis and its been modified again since then.
https://nvd.nist.gov/vuln/detail/CVE-2023-44488
As far as I understand Tor Browser 13.0 is scheduled to be released today, but there has not been a Firefox release with the fix for CVE-2023-44488 yet. In fact, it hasn’t been cherry picked to their repository either (they don’t seem to use the stock libvpx version). I’m kind of confused here, Firefox devs are usually very fast at fixing things. Maybe Firefox is not affected due to its specific usage of libvpx? Who knows, all of the bug reports are private/restricted.
We had some last minute fixes for which we decided to push the 13.0 release of a few days.
We want to publish before Firefox 115.4.0 for sure.
We haven’t heard of scheduled releases from Mozilla, yet. So, 12.5.7 is not scheduled on our side either.
From what I know, earlier fixes weren’t used against Firefox, but only against “other products” (from what Mozilla’s advisories say).
3 Likes
I’m not sure but I think Desktop TBB doesn’t and Android does but I may be completely wrong there.
Would it be advisable to stay off hidden services until a patched version comes out in either 12.5.7 or 13.0? And if using safest mode then doesn’t it negate the vulnerability by default? Sorry if these are idiotic questions.
Well there’s some activity on master now https://github.com/mozilla/gecko-dev/commits/master/media/libvpx
It is preinstalled and can’t be uninstalled or deactivated on the Huawei Phone. 
Even more OT:
My next phone will be one SHIFTphone 8 with CalyxOS. Or with a Risc-V CPU (open standard instruction set architecture ISA ) if I can find one.
Onion services are just normal sites with end to end encryption.
I don’t see any specific reason to avoid them.
Click to play should help.
I don’t advise custom configurations, such as disabling VP9, because like any custom configuration might make you fingerprintable.
Sounds like a scheduled update. The Bug has been opened 4 months ago.
ESR 115 is affected, so we’ll receive it too, at some point. 115.4.0esr is being tagged October 16.
2 Likes
OT: Looks like the old Microsoft trick of times past with their pre-installed stuff or even Google of today.
My logic was that onion services are perhaps more liable to attempt such exploits since the likelihood of tracing it back to its source is so low.