Tor.exe: Microsoft Defender triggers an "Trojan:Win32/Malgent!MTB" alert

Sicherheit (Pexels, allgemeine Nutzung)[German]A few hours ago, the Tor browser received a security update that closed a vulnerability. Now Microsoft Defender in the form of Windows Security triggers an alert when the Tor browser is called up and quarantines the tor.exe file. It warns about a "Trojan:Win32/Malgent!MTB".

Patrick alerted me to this via email (thanks for that) and wrote "tor.exe" (Tor Browser) is detected by Microsoft's Windows Security today, 2023-09-30 as "Trojan:Win32/Malgent!MTB". It uses the following version:

Tor Browser 12.5.5
File: tor.exe (7.804.416 Bytes)
SHA256: 3807d96998a15aed25ec9a95c3183385c6c73f6dde811ef2452c30f5f7df2810

Defender alert for tor

I immediately checked my Tor installation on a German Windows 10 and indeed got an alert via Toast notification (see above) and in Windows Security the following display.

tor.exe: Defender warns about "Trojan:Win32/Malgent!MTB" aus

Patrick then uploaded the file times on Virus Total and writes that currently 3 virus scanners detect a Trojan. When I called the virustotal page in question, there were already four scanners that hit.

tor.exe: at virustotal

The status of the Windows virus signatures at scan is: 1.397.1801.0 and 1.397.1814.0 (2023-09-30 06:13).

Patrick then downloaded again from www.torproject.org from the archive and checked the PGP signatures as well. The file "tor.exe" has the same 256 checksum and the updated virus signatures still give the security message rated as "severe" in Windows 10. The analysis page at Virus Total for the uploaded tor.exe file kept updating today, Patrick writes.

Blog reader Stefan also just got in touch by mail and writes:

Hello Günter,

just updated Tor Browser and Windows Defender detects Tor.exe as trojan and quarantines it. I suspect a false positive.

He also gave me a link to reddit.com, where you can also find a user comment. Other users confirm this observation. This means that a lot of people cannot currently run Tor Bundle or have to define an exception if it is a false positive.

There is a second reddit.com post on the subject where someone wrote that re-downloading and installing the Tor bundle stopped the false alarm for them. My attempt to reinstall an old installer of Tor did work and the Tor started again. However, after the auto-update, Defender again triggers an alert and moved the tor.exe to quarantine. Currently I will pause the Tor until the issue is resolved.

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

10 Responses to Tor.exe: Microsoft Defender triggers an "Trojan:Win32/Malgent!MTB" alert

  1. David says:

    It seems this may be caused by Tor's introduction of proof-of-work as a deterrent for DOS attacks: Introducing Proof-of-Work Defense for Onion Services
    See reddit.com: Detected Trojan:Win32/Malgent!MTB by Windows defender. What should I do?

    • guenni says:

      It seems that a new Defender definition file solved the issue.

      • Luís says:

        Updated Windows security 2023-10-01 11:14 to Security intelligence version: 1.397.1873.0 on Windows 11

        Tor:12.5.6 (based on Mozilla Firefox 102.15.1esr) (64-bit)
        Scanned Tor folder: Nor current threats.

        And the alert is gone.

  2. Hans says:

    Was using Tor daily in last week with this new PoW service build on obfs4 bridge withouts issues. But as of today with latest build update something triggered malware alert only when streaming an odd embedded video on a common website. I wonder if this tor PoW detects streaming now as a potential DDOS attack and activates.

    • John Smith says:

      TOR does not work now. Even a reinstall did not work. MS Defender has flagged a Trojan. Not sure what is happening. But no TOR for two days.

  3. George says:

    Happened to me as well

  4. HRDrake says:

    Microsoft…*rolls eyes**
    Obviously false positive…defined an exception..moved on….nothing to see here ;)

  5. Robert M Reingold says:

    Just loaded Alpha Release from Tor website.
    When asked, installed into existing directory.
    No more Defender alerts.
    Appears to be working fine.
    After a few days will go back to standard release and see if issue has been resolved.

  6. Calvin says:

    Don't know if anything has been done, but I went into Defender and added the TOR download file.
    ONLY AFTER doing that I was able to open the file and reinstall TOR.

Leave a Reply

Your email address will not be published. Required fields are marked *