TorBrowser 12.5.6 no longer flagged by Windows Defender

If you are a Windows user and a TorBrowser user, you are probably not without knowing that the latest version of TorBrowser, or more specifically the tor.exe it contains, was flagged as a trojan by Windows Defender.

We finally received a reply from Microsoft:

At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run “MpCmdRun.exe -SignatureUpdate”

Alternatively, the latest definition is available for download here: Microsoft Defender Antivirus security intelligence and product updates | Microsoft Learn

Thank you for contacting Microsoft.

With the latest signature database (1.397.1910.0), tor.exe is no longer considered a trojan by Windows Defender. If your TorBrowser stopped working during this weekend, make sure your Windows Defender is up to date, and either unquarantine tor.exe, or reinstall TorBrowser by downloading it from Tor Project website, and remember to check the signature!

13 Likes

Now google started to assume it is malware:

Update 12:18 UTC - 2nd of October - not detected by google anymore

1 Like

While this is good news, I’m more concerned that it was even possible to make a release to the general public without first running a VirusTotal.com check. This meant that for an entire weekend users were left in uncertainty. I think that from now on ALL releases should be accompanied by a VirusTotal check, so that anyone downloading the software can see for themselves if any virus checker flags it, (at least at the time of its release).

1 Like

The fun thing is that the files were not flagged by VirusTotal at the time of the release. In fact, the tor.exe that was flagged in TorBrowser 12.5.6 is the exact same file, to the byte, as the one in 12.5.5, and nobody reported any issue when that release came out. (A few people mentioned downloading 12.5.5 as a workaround, but they were actually downloading the 32bit version, so it worked for them by accident).

That said, it’s not currently procedure to upload files to VirusTotal, and while it wouldn’t have helped with this specific incident, it’s still a good idea to do it. Ticket tor-browser-build#28175 tracks that, it was dormant for quite a while given there hasn’t been that kind of incident for some time, but I would expect some people to work on it in the future.

7 Likes

See my immediate solution to this AV problem (for the next time)

I am running Windows 11, and Tor Browser 12.5.6 stopped working for me around September 30.

I have never had Windows Defender enabled, so nothing popped up as flagging the above issue on my end, though I did try your workaround (in CMD), to no avail.

Should I be patient for 12.5.7 to fix the issue?

Can you check if there is a file named “tor.exe” inside <install path>\Browser\TorBrowser\Tor\? If it isn’t there, it means Windows Defender quarantined it. The commands provided by Microsoft only update the signature database, but don’t cancel any actions Windows Defender already took. You have to either unquanrantine the file manually, or reinstall TorBrowser.
You won’t be able to receive an auto-update if your TorBrowser doesn’t currently work. If you wait for a new release, you’ll have to install it by yourself.

1 Like

Interesting! No, it was not there, and replacing it works now.

I have disabled Windows Defender but clearly it’s still causing its chaos.

you don’t need to disable it now, but the harm it has done during the past weekend isn’t going away on its own sadly :cry:

No no, sorry, I mean Defender has been disabled on my system for years, though clearly it’s still causing issues.

I can only imagine it’s because it’s so deeply embedded into Windows that it’s hard to ever fully disable.

For example, the Defender UI says it’s disabled, GPE say it’s disabled and I received no notification that it was messing with Tor Browser - but clearly it was!

Windows users are always in uncertainty. :wink: :sweat_smile:
The whole OS is a monitoring system. There is also a constant risk of trojans and spyware.
Anyone who lives in oppressive states and has to fear penalties should use privacy tools such as Tor or i2P on secure systems.

1 Like