Hi @BobbyB
I was writing a post (just out of curiosity) in the Bitdefender forum asking the purpose for the two files which are created when installing a Firefox-based browser. Hope I will get an explanation in brief.
Hi everyone
I just got another phising attempt while starting up Tor Browser, but this time with a different web address.
1 Like
That address does have an IP in the US. It might have been a phish but now it says for sale. So it is parked. BitDefender says so also.
ISP: Sharktech
Updated Date: 2026-03-14T05:49:08Z
Creation Date: 2016-11-30T20:01:39Z
Registry Expiry Date: 2026-11-30T20:01:39Z
This will sound dumb but instead of using the shortcut on the desktop to start Tor try double click on firefox.exe in Tor Browser\Browser folder. As per your zip file the shortcut was created in 2025. Itās the only thing which has not changed. I know it makes no sense butā¦
Thanks Bobby, but Iām getting more and more confused.
Before I continue, I need to know for certain whether this behavior - where tor.exe attempts to establish connections (that seem suspicious to me) and that are flagged as malicious when Tor Browser starts up - is intentional or it must not be (this is crucial) or am I just chasing castles in the air?
Can anyone confirm or deny this with certainty (with proper citations)?
Just as a reminder, tor.exe is the only application or tool on my system that triggers an alert from Bitdefender. None of the other applications or tools - or the operating system itself - report any issues or trigger an alert.
From what I know tor.exe is the proxy for firefox.exe
Yes I know, this whole thing seems impossible. Iām just trying to eliminate how firefox is being called by the shortcut.
Iām out of ideas and grasping at straws. And I canāt believe that BitDefender is a fault.
I checked the hashes of tor.exe from your zip file to the tor.exe of that standalone .EXE you pointed to and what I am using right now. They are the same. Ditto for firefox.exe.
Name: tor.exe
Size: 10203136 bytes : 9964 KiB
SHA3-256: e1b5312379489b4524d3d5f0fd08ddbdec59fc810e964220eb1bedd02b606c45
Name: firefox.exe
Size: 1832448 bytes : 1789 KiB
SHA3-256: 1f7e792f9320d917cff58279e851a688a6ce34fd690ae8b7994fb10a7d3d2f96
Edited later:
I only have 1 more trick to try after the direct call of firefox.exe.
This eliminates firefox.exe
Open a command prompt at the folder: Desktop\Tor Browser\Browser\TorBrowser\Tor
Start the Tor proxy by typing: tor
This take a bit. Wait till it says 100%
In a different command prompt type: curl --proxy socks5h://127.0.0.1:9050 http://ip-api.com/json/
This tells you where your exit node is and is an optional step
Then try: curl --proxy socks5h://127.0.0.1:9050 http://77zq.com
Does Bitdefender complain?
1 Like
I tried out your trick. No, Bitdefender doesnāt complain respektively doesnāt gripe. 
Yep, I get the same hash values of the two files tor.exe and firefox.exe.
I need to go over this whole thing in my head again from the beginning why the Tor Browser occasionally opens a page which is marked as dangerous when it starts up.
Ah, okayā¦ tor.exe acts as the proxy for firefox.exe. Thanks for the info. I didnāt know that. Maybe that will be helpful and can point me in the right direction.
Caveat: I have no understanding of the workings of AV software, but Iām concerned the curl test may give misleading results:
The OPās screenshot shows Bitdefender highlighting the threat as an attempted connection originating from the tor.exe process. The domain is a known phishing domain. If accessing it via curl - even via a proxy - does not trigger a threat detection, then Bitdefender seems to be set up to only flag connection attempts made via certain processes. Curl may even be whitelisted, as if used on the command line the user is explicitly instructing curl to connect to the specified URL(s). Bitdefender may be able to confirm this either way.
As the issue has re-occurred (albeit to a different phishing site) after a reinstall of a verified copy of Tor Browser, Tor Browser is not the problem. It may be that malware is modifying the installation or otherwise hijacking requests. The OP has also said this is a long standing issue:
..this phenomenen started a really long time ago.
The safest thing to do is for the user to reinstall his/her OS.
1 Like
Hi @Noino
Thank you for your feedback. Unfortunately, Iām not an expert regarding curl and this whole staff at all.
I was installing the OS from scratch on a external SSD drive with all the programs, tools and drivers etcetera I use yesterday evening. It behaves exactly the same way as Iām used to on my main system. No difference at all. And as said, it only happens with tor.exe. If I have time today, Iāll try to look into this phenomenon further. And VirusTotal flags the web site as malicous as well. Therefore, reinstalling my whole main system would be for vain (cause I did it on a external SSD yesterday as already mentioned). As not being an expert in this field, I can only describe what I perceive and realize.
But I need a answer to the following post first:
Regards, Uwe
Agreed that a malware may be a work but the system was scanned by 3 different AVs so this is why I did not mention it.
I disagree with curl being whitelisted. Why is firefox not whitelisted? I imagine that an AV is checking what is going out on the wire (or maybe comming back) from a network point of view and in this case it was tor.exe whether via curl or firefox.
What has not been test yet or was not mentioned is bypassing the shortcut and calling Tor firefox directly by clicking on it. What the curl test also did was bypassing the 2 files BitDefender added which I mentioned above but I doubt it has anything to do with this.
SO what I am really saying is I suspect the shortcut. How I donāt know.
A system reinstall is really an extreme last resort.
Just as a reminder.
Since I set up a new Windows installation from scratch on my external SSD drive and the behavior is the same as on my main system, there is really no need to install the OS for a second time. This is not an issue or phenomenen that comes from Bitdefender.
And againā¦ only tor.exe complains from time to time and no other process on my systems do the same.
By the wayā¦ I also set up an new additional 3rd OS in VMware Workstation Pro and the behavior is also the same as in the two other setups.
Addendum:
And again, Iām absolutely no expert regarding this subject. Iāve simply noticed the phenomenon I mentioned. Since I find it very suspicious and donāt have an explanation for it, Iām counting on your help.
It seems that antiviruses analyze the SNI field in the TLS connection and detect these domains.
Tor uses a TLS-like connection to connect to entry guards and vanilla bridges. However, it does not use real SNIs. These are randomly generated values using the www.random_symbols.com mask. If the generated domain matches an entry in an antivirus database, a warning is displayed. But this does not mean that Tor is actually connecting to these sites. It is simply a randomly generated value.
1 Like
Interesting. It seems there is no deterministic pool then, just random base32 encoded strings. I note the two phishing domains flagged here both fit the criteria used in the crypto_random_hostname() function which is defined here.
These could well be false positive reports by Bitdefender then, but there seems no way to be sure. Conversely, we could be sure we do not have a false positive report if a flagged domain does not fit the pattern - i.e: not prefixed with āwww.ā OR a TLD other than ā.comā OR not a base32 encoded string. For example, domains including numbers 0, 1, 8 or 9 cannot have be generated by this function.
The known issues page does not mention Bitdefender and it may be useful to update the page with the specific issue the OP has raised here. In any case, the linked support page on AV software blocking Tor Browser suggests whitelisting tor.exe on Windows. That should solve the issue.
Hello everyone
Here is the current status.
I got an update for Bitdefender and since then I havenāt experienced that Bitdefender complains from time to time when I open the Tor Browser via the link on my desktop.
Coincidence? 
Maybe. By now, I cannot say for sure that the issue is completely gone. I need a little while yet till I have tried it out thourougly.
Regards, Uwe
Here is the latest news.
Since I got an update for Bitdefender (also mentioned above), I havenāt got any complains from Bitdefender anymore opening Tor Browser via the desktop link. I have no clue if or what changed, but it seems the strange phenomenen is gone.
Seems to look good by now. Keeping you up-to-date.
1 Like
FYI Iād made a feature request to log the random SNIās tor uses in TLS so a user can verify that an AV report like this is a false positive - i.e. it is nothing to worry about.
2 Likes
Wow, so the problem as BitDefender. Itās something which never even crossed my mind. Good to know good AVs can be wrong.
And/Or use really long name as in that post I was running Tor browser while capturing packets on my android. And I noticed this interesting thing
The 2 random domain names cited here were short and just happened to be registered. Itās highly unlikely that a domain like zgxdpqcwss7ywl55srf6h would be registered. Itās a good choice. If you look at the Phishtank site there are short names used as real phish.
And I suspected the shortcut! Duh!
Yepā¦ it seems strongly that Bitdefender was the āculpritā. Iāve not got any complains anymore since I got the update for Bitdefender. I donāt say the issue is solved, but by now, no outcry popped up anymore and Iāve tried it out countless times. But I have no idea what the update did. It isnāt explained anywhere either.