Microsoft Defender Stops Incorrectly Identifying Tor Browser as Malware
Microsoft Defender Stops Incorrectly Identifying Tor Browser as Malware

Image: Matthew Manuel (unsplash)

Recent iterations of the TorBrowser, especially due to the newly updated tor.exe file, had been mistakenly identified as potential threats by Windows Defender.

Users received warnings of a potential trojan, which sparked concerns among the community, but this was a result of false positives.

TorBrowser addressed this issue and after liaising with Microsoft, received a conclusive response.

Microsoft confirmed that after reviewing the submitted files, they concluded that the files didn’t meet their criteria of malware or undesirable applications. As a result, the detection was removed.

For any users still encountering this false positive, Microsoft has furnished a clear guide to update and erase previous detections:

  1. Initiate the command prompt with administrative rights.
  2. Direct to c:\Program Files\Windows Defender.
  3. Execute the command “MpCmdRun.exe -removedefinitions -dynamicsignatures”.
  4. Continue with “MpCmdRun.exe -SignatureUpdate”. For the users who opt for manual updates, Microsoft has made the newest definitions accessible.

Other such alerts appeared on Virus Total, which uses third-party security providers for file scans.

Some pointed out that an initial verification could have avoided the confusion, voicing disappointment that this routine safety step seemed to be missed.

One dismayed user shared their worries about the public release lacking a prior examination. They stressed the importance of associating every release with a VirusTotal review, ensuring the software is safe from any virus detection alerts, particularly during its release.

Addressing the feedback, a Tor representative brought attention to some key details.

The tor.exe file from TorBrowser 12.5.6 isn’t a recent introduction. In fact, it’s identical to the file present in the 12.5.5 version. It’s intriguing to note that there were no reported issues when the previous version was released. Those who found an alternative solution by procuring 12.5.5 possibly acquired the 32-bit version, inadvertently bypassing the issue. Currently, Tor does not follow a standard process of submitting files to VirusTotal pre-release.

With the updated signature database (version 1.397.1910.0), Windows Defender no longer identifies tor.exe as a trojan.

For those who’ve experienced issues with their Tor Browser, the following steps are suggested:

  1. Ensure Windows Defender is current.
  2. Retrieve tor.exe from quarantine or,
  3. Download the TorBrowser again from the official Tor Project site. Lastly, users are advised to always authenticate the signature before any installation.