I’ve been having the following problem on and off since at least November of 2023: after I update Tor Browser, my antivirus (Avira, free version, and I’m using Windows 10) quarantines firefox.exe, telling me that there is a threat named Drop.Win64.MemMapSelf.3174 (or Drop.Win64.MemMapSelf.15575, or Drop.Win64.MemMapSelf.15722, the string of numbers at the end changes each time, even when I use the same installer twice), but neither Avira’s homepage nor Google will tell me what kind of threat Drop.Win64.MemMapSelf is supposed to be. I strongly suspect a false positive, but I’d still like to be sure…
Here is how it happens:
I allow Tor Browser to update, or I download the installer to be sure that I’m having a clean install. In the latter case, Avira doesn’t detect a problem with the installer, or with the Tor Browser folder once the installation is complete.
I (re)launch Tor Browser.
Tor Browser connects to the Tor network.
after a couple of minutes, Tor Browser freezes up.
if I wait long enough, Tor Browser ends up crashing. I then get a message from Avira telling me that firefox.exe has been moved to quarantine due to threat Drop.Win64.MemMapSelf, and a request to reboot to remove all threats. The same thing happens if I use Task Manager to close the frozen Tor Browser.
if I retrieve firefox.exe from quarantine, Avira then leaves Tor Browser alone, until the next time I allow Tor Browser to update.
Best I can tell, it looks like something is written/created when Tor Browser first launches that Avira doesn’t like. The problem has happened no matter if the security level is set to standard or to safest.
Another bug that I’ve been having for quite some time is that after it has been running for a while, Tor Browser sometimes slows down to a crawl until a message telling me that there is a problem with a script pops up. Choosing the option to shut down the script usually only makes things worse, while choosing the option to let it keep trying to run causes the “a new version of Tor Browser is available” message to then pop up.
When you have Avira scan the Tor browser folder, does it give a warning or a green light? What about the whole machine?
In the case where you do a fresh install, delete the Tor browser folder first. This will eliminate residue, if any, in the folder. Now you have a real clean install.
Maybe it has to do with where you go or what you do while browsing.
You can scan the whole machine with another AV. Emsisoft allows you to download a standalone copy onto a USB stick from which you can scan the machine.
No warnings when I scan the Tor browser folder or when I scan the whole drive where I have it or the whole machine.
As for deleting the Tor browser folder first, I always do it before a fresh install.
Regarding Tor Browser freezing up then crashing that way, it only does it the one time the first time it is launched after an update, even if I only go to DuckDuckGo, so I’m pretty sure it is due to Avira sending firefox.exe to the quarantine area. Once I retrieve firefox.exe from quarantine, Avira seems to consider that this version of Tor Browser is authorized, until it gets updated and then it treats it as a threat again, sending firefox.exe to quarantine again, rinse and repeat.
I did scan the Tor Browser folder with Trend Micro Housecall, it didn’t detect anything. I must confess that I didn’t have it scan my whole machine yet, as an in-depth scan of all my drives takes forever.
Well, restoring firefox.exe isn’t difficult, you just have to go to the quarantine area of Avira, select the file and click “restore.” It’s a bit annoying to have to do it after each update of Tor Browser, but it isn’t a big deal. What does bother me more is being only 99% sure that the whole problem that the problem is just a false positive: that remaining 1% uncertainty keeps nagging me…
I ended up doing a full scan (with Avira) of the drive where I have my Tor Browser install: it took several hours, but it ended up telling me that the drive was clean. Then I decided to do the same with C:… As expected, it took ages, and Avira kept telling me that the progression was at 30%, no matter if it had scanned 40’000 files or 1’500’000 files. The bigger problem was that it also caused my geriatric PC to lag more and more until it froze completely, despite me not having any memory-gobling apps open. It got to the point that I had to physically reboot the PC. The second attempt was more successful, though it still caused my PC to lag like crazy, and it didn’t find anything on C: either.
