Microsoft Defender 'finally' stops flagging Tor Browser as malware

We're sure you'll be pleased to know Microsoft Defender has stopped mistakenly breaking the latest version of Tor Browser. The antivirus tool had flagged and quarantined the application's core tor.exe program as a trojan, causing the software to stop working as desired.

This is according to the Tor Project's developers and users. A spokesperson for the Windows giant earlier told The Register: "Microsoft is currently looking into the matter."

The Tor Browser is an open source Firefox-based web browser that uses the Tor network to anonymously visit websites. The application's tor.exe program does the job of routing the browser's connections through Tor network nodes to hide the true public IP address of the user.

Over the weekend, Defender – Microsoft's antivirus tool built into Windows – began reporting the browser's tor.exe as "Win32/Malgent!MTB" malware when users tried to open the just-released Tor Browser version 12.5.6. Defender would try to remove the executable, having decided it was a security threat, which would stop the browser from running as intended.

The Tor Project on Sunday said it "finally" received a reply from Redmond regarding the snafu. 

Microsoft, according to a project forum moderator, said it had updated Defender's definitions to now play nice with tor.exe after deciding "the submitted files do not meet our criteria for malware or potentially unwanted applications." The IT giant provided steps that Windows and Tor Browser users can take to refresh Defender, and ensure they can continue browsing in private.

The Tor Project encouraged users to make sure Defender is up to date, and unquarantine the .exe or reinstall Tor Browser.

We still don't know why Defender was flagging the executable in the first place. Some on Reddit have speculated it has to do with Tor's proof-of-work (PoW) code – a recently added feature intended to fend off distributed denial of service attacks that might look like cryptocurrency-mining to Defender – or that it was a generic heuristic detection gone wrong.

Heuristics, one of the methods Defender uses for threat detection, compares code to previously known malware samples to detect questionable code and can lead to false positives. 

• Microsoft Defender shoots down legit URLs as malicious
• Malware disguised as Tor browser steals $400k in cryptocash
• Tor turns to proof-of-work puzzles to defend onion network from DDoS attacks
• FYI: Tor Browser is very much still a thing and getting updates

This, of course, isn't the first time Defender has labeled benign stuff as malicious. In March, Microsoft's antivirus was flagging URLs including those of Zoom and Google as potentially dangerous, causing headaches for anyone who didn't belong to a strictly Office 365 organization.

To be fair, if tor.exe was actually a trojan, this wouldn't have been the first time criminals had disguised malware as legit Tor Project software.

In fact, clipboard-injector malware spoofing Tor Browser installers has been used to steal about $400,000 in cryptocurrency this year alone, Kaspersky said in March.

These attacks hit some 16,000 users across 52 countries – although the majority of the victims were in Russia. ®