Tor.exe Detections?


I would like to know what is going on here.

I had used Tor Browser On windows before. All was Great. But right now it seems something weird that Windows just keep deleting the Tor.exe executable file and label it as Severe. Don’t tell me it’s a false Positive detection, cause it’s not.

Here is I am attaching a Screenshot of the Detections.

Windows 11 Pro.
Last version : 10.0.22622 Build 22622
X64 Based

If you need more info, please write below.

Thank you.

1 Like

Don’t tell me it’s a false Positive detection, cause it’s not.

I will tell you it’s a false positive, because as far as I can tell, it is one. I rebuilt that binary from source (which can be done by using this tool), and got the exact same file as in the release.

Now if you are uncomfortable with telling Windows Defender to ignore that file, you can download TorBrowser 32bit from this page, it should work on both Windows 32 and 64 bits, and doesn’t appear to bother Windows Defender.


Don’t forget to verify the PGP signature & checksum after download. :wink:

1 Like

Well, Thanks. I have just tested what you have recommended. but naaah the same detection. things does not add up!

can I ask you what is that detection and what causing it ? been using Tor for the last 5 years. never something like this. I need a based answer if possible. not theory.

Thank you very much for taking time to answer.

Can you confirm you downloaded a file named torbrowser-install-12.5.6_ALL.exe, and not torbrowser-install-win64-12.5.6_ALL.exe? You would be the first one to report an issue with the 32b version, and according to virus total, Windows Defender sees nothing wrong with it either.

can I ask you what is that detection and what causing it ?

Antiviruses are black boxes, I don’t know why one would like something and not like something else.

been using Tor for the last 5 years. never something like this.

This used to be a frequent occurrence in the past, so much so that this support page had to be created.

The usual reason was that some virus would use tor to connect to its c&c server, so antivirus vendors would see that binary (tor.exe) as part of the virus, and therefor flag and delete it. This looks very much like these past occurrences to me, but again AVs are black boxes, short of having a statement from someone at Microsoft, we don’t know why it gets flagged.

1 Like

I believe this is the new POW mining blob :slight_smile: A type of Monero lightweight miner.

It should probably be pointed out that this is sarcasm just in case anybody misses the joke and gets spooked.

No this isn’t sarcasm.

Tor POW is using Equi-X. That is Equihash PoW algorithm using HashX as underlying hash function. HashX is derived from the RandomX hash function used in Monero’s Hashcash PoW algorithm. Tor POW is also being developed by the same user, tevador.

More info:
Bitcoin Forum: Proof of work comes to Tor
Tor Specifications and Proposals: 327-pow-over-intro
Github tevador Equi-X: DoS protection for onion services: from RandomX to Equi-X

Do note that POW was not added until, Tor Browser is using

I have exactly the same problem can someone help me?

OK, then my assumption can’t be correct (yet). :wink:
I’m not very familiar with the Tor browser versions, as a relay operator I usually only have c-tor in view.

As a workaround, you can add Tor’s browser directory into exclusion list of windows defender - (this article explains how to do it).

Then restore deleted tor.exe file manually (you can download it from archive from here).

Works fine for me.

Note that there is no longer any workaround needed, Windows Defender stopped flagging tor.exe


See my immediate solution for the next time it happens: (there will be a next time)

If you are paying for an AV and get into the habit of just ignoring warnings then one day you will get got.

This event has gone to show that some AV’s respond over sensitively so following every detection would also lead to lots of unnecessary removal. Plus the vast majority of Tor enthusiasts are likely to recommend Linux variant operating systems where most of them come with no AV or are incompatible with many AV clients. I’ve seen screenshots from malware control interfaces where the infection even lists what type of AV the user has installed meaning plenty of off the shelf skidware is capable of completely bypassing virus detection and adding backdoors for remote access at later points.

Not even sure I get what this post is actually saying or maybe it was not at all addressed to my post.

Are you saying that most Tor enthusiasts are Linux users or recommend an OS without an AV like Linux. Define enthusiasts.

I checked and from support torproject org “The most used desktop operating systems are Windows, macOS and Linux. Android and iOS are the dominant mobile operating systems”
This can be just a statement of fact only and unrelated to Tor.

From truelist co /blog/tor-stats/ point 14
There were 60000 daily downloads of Tor on average on Windows between March and June 2021 while macOS and Linux had fewer than 20000 per day each for the same period. I imagine today’s stats would be similar. They get this from Tor Metrics whatever that is.

Agreed skidware is capable of bypassing virus detection. They test for the most popular ones.