Microsoft Defender Flags Tor Browser as a Trojan and Removes it from the System

[-] itsgroundhogdayagain@lemmy.ml 296 points 1 year ago

similarly, I've removed Microsoft from my system.

[-] RiQuY@lemm.ee 12 points 1 year ago

That's the real trojan.

load more comments (2 replies)

[+] vzq 201 points 1 year ago* (last edited 1 month ago)

[deleted]

[-] CheezyWeezle@lemmy.world 79 points 1 year ago

Yeah I'm guessing this is a false positive based on heuristic analysis, i.e. the TOR program has a lot of the same behaviors as malicious programs. Of course it is more accurate to say that the malicious programs are copying TOR behavior or just straight using TOR code, whatever the case may be.

My main issue is that it kind of shows a lack of due diligence. I assume the official TOR binaries are signed, so the official TOR binaries should be exempted from these heuristic positives. If the binaries are unsigned/have no valid certificates, then I can totally understand the false positive. At that point, the user should know they are installing software that cannot be automatically verified as being safe, and antivirus should never assume that something is safe otherwise. Like you said, for typical users this should be the expected behavior. Users can always undo Windows Defender actions and add exemptions.

[-] lemmyvore@feddit.nl 7 points 1 year ago

I still don't understand why Windows doesn't use .exe whitelisting instead of bothering with endless blacklists and heuristics and antiviruses.

On any given system there's a handful of legit .exe while out there there's like a billion malware .exe, and more created every minute.

Or at least switch to an explicit "executable" flag like on MacOS and Linux.

[-] DeathsEmbrace@lemmy.world 22 points 1 year ago* (last edited 1 year ago)

Because it makes it the easiest thing to spoof an .exe which enables attacks of which you will never get out of. A legit.exe vs a spoofed legit.exe will be the exact same in every way except the coding in spoofed fucks you.

Edit: you're trading security risk for security risk that makes it easier to hide. Not worth it.

Edit 2: their is nothing 100% secure MD5 and Sha1 are both spoofable. Checksums and anything is capable of being man in the middle. You people act like you just found something that can't be broken. This is the real world the moment you switch most black hatters and white hatters will switch too...

[-] CheezyWeezle@lemmy.world 31 points 1 year ago

I'm not sure that these things work the way you think they do... an antivirus wouldn't just look for the name of an executable to be "legit.exe" but rather would look at what the program calls itself in it's manifest, compute the hash for the executable binary file, and compare that hash against a database of known good hashes. If the contents of the executable compute a hash identical to the known good hash, then you know the contents of the executable are clean.

load more comments (3 replies)

[-] Amir@lemmy.ml 17 points 1 year ago

How is this getting upvoted. This is ridiculous garbage, every exe whitelist would obviously have checksums attached, not just a filename.

[-] xantoxis@lemmy.world 10 points 1 year ago

Please don't reply to comments when you're talking out your ass, that doesn't help anyone. You don't know wtf you're on about, at all.

load more comments (3 replies)

[-] starchturrets@feddit.de 16 points 1 year ago

Windows has both WDAC and Applocker for allowlisting, not just for exes, but stuff such as powershell scripts and what drivers run in the kernel as well.

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/

In it's strongest form (a signed WDAC policy) even admin access can't easily override it, and a well written policy can even enforce stuff such as downgrade protection (example: only allow firefox.exe signed by Mozilla at or above a certain version) which prevents an attacker from loading older versions of an executable.

The problem is that it's not so easy to use in practice - an installer will often drop loads of unsigned files. Tor Browser ironically enough is a prime example, and any WDAC policies allowing it have to fallback on hash rules, which are fragile and must be regenerated every update, or filepath rules which are not so robust.

Microsoft is trying to make allowlisting more accessible with Smart App Control, which runs WDAC under the hood. It does save the hassle of managing one's own policies (and also blocks certain filetypes like lnks commonly used for malware), but it is not very customizable.

load more comments (3 replies)

[-] Rose@lemmy.world 8 points 1 year ago

It's defensible only from the perspective that it's safer to flag many innocent apps than to miss something harmful. That said, it heavily punishes many legitimate developers and creators, as documented here. I was personally affected on many occasions and there hasn't been a single one where Microsoft wouldn't admit to false-flagging upon a manual review.

[-] TylerDurdenJunior@lemmy.ml 158 points 1 year ago

At this point, Microsoft Windows itself can basically be classified as malware

[-] raspberriesareyummy@lemmy.world 19 points 1 year ago

it is - by everyone with half a brain cell or more. Unfortunately, that's not the majority of users by a long shot.

[-] cyberpunk007@lemmy.world 13 points 1 year ago

Incredible the downvotes you get. It's true. Windows literally spies on you

[-] kumatomic@lemmy.dbzer0.com 7 points 1 year ago

It forces software on your system you don't want and when you try remove it it reinstall itself just like a virus. Windows 11 especially is trash.

load more comments (2 replies)

load more comments (6 replies)

[-] smileyhead@discuss.tchncs.de 14 points 1 year ago

If we define malware as something having functions to harm the user and not only things build soley for this purpose, then of course Windows is malware.

https://www.gnu.org/proprietary/malware-microsoft.html

[-] morriscox@lemmy.world 13 points 1 year ago

When Windows 95 was in beta I would install it and next day it was dead. We finally realized that the BIOS was killing it.

[-] DontRedditMyLemmy@lemmy.world 11 points 1 year ago

Wat?

[-] jcg@halubilo.social 10 points 1 year ago

95 is kill

load more comments (1 replies)

[-] BubblyMango@lemmy.wtf 87 points 1 year ago

Dude ms defender used to delete my "Hello World" executables built using visual studio just because they were made by an unknown publisher.

[-] InfiniteStruggle@sh.itjust.works 23 points 1 year ago

Well maybe you should have become a known publisher before writing any programs.

/s

[-] brsrklf@jlai.lu 6 points 1 year ago

It flagged your program for being dissident propaganda.

load more comments (2 replies)

[-] Pxtl@lemmy.ca 70 points 1 year ago

I've run into antiviruses blocking code I've written just because I pulled in certain cryptographic libs. Literally pulling in some Microsoft cryptography libraries in c# made it think I was writing a crypto locker.

[-] aidan@lemmy.world 22 points 1 year ago

Imo, compared to how prevalent viruses were on older versions of windows, this type paranoia seems to be working

load more comments (1 replies)

[-] EmhyrVarEmreis@lemm.ee 69 points 1 year ago* (last edited 8 months ago)

[removed by mod]

[-] lckdscl@whiskers.bim.boats 55 points 1 year ago

If you have to use Tor you shouldn't be using Windows.

[-] nous@programming.dev 128 points 1 year ago

This is a bad response to this news. There are many reasons why you might want to run tor on Windows and gatekeeping people out of tor because they are not on a chosen OS is a terribly way to get more people into thinking about privacy and security practices. Yes if you have the highest threat model you might want to avoid Windows as well, but not everyone needs absolute privacy/security for what they do. But why should you not have access to a tool that can help improve things even if you are not able to switch everything to a more private/secure alternative?

Really you should want everyone and anyone to run on tor, even if they don't need it, even if they are on windows. The more people using it the more secure it is for those that do require it.

[-] lckdscl@whiskers.bim.boats 32 points 1 year ago

Yeah I agree. To be clear, if you take the reverse of my statement, i.e. if you're on Windows, you shouldn't use Tor, then I would be gatekeeping.

But I'm not implying that, but rather the reverse. I'm saying if you have use Tor for whatever reasons to bypass censorship, do illegal stuff and avoid being tracked, you should at least be aware that at the kernel level, how you're accessing the internet has already been compromised by Microsoft, and consider alternatives OSes

Of course I'd still want people running Windows to be able to use Tor, and also I'd say leaving Windows isn't something you would only do at the "highest threat model".

Privacy will almost always be a trade-off with convenience, I'm pushing the awareness to get people to act, should they choose to. That's all.

[-] nous@programming.dev 13 points 1 year ago

You might not have intended to imply that, but your original words can be taken in many different ways. Such as a dismissive well this news does not matter because you should not be using TOR if you are on windows. You did not say that exactly, but either interpenetration needs some reading between the lines as you did not really say all that much. So it could be taken that way just as much as the way you actually intended. And on the internet if things can be interpreted multiple ways they will be.

[-] TheYear2525@lemmy.world 21 points 1 year ago* (last edited 1 year ago)

Taking “If P then not Q” as equivalent to “If not Q then not P” is just straight up broken thinking. We shouldn’t have to preface each comment with a primer on the basics of how to think.

load more comments (8 replies)

[-] Jaysyn@kbin.social 5 points 1 year ago

Let's not blame the victims of Microsoft's fuckery here.

load more comments (2 replies)

load more comments (9 replies)

[-] yoz@aussie.zone 51 points 1 year ago

Fucking microsoft doing microsoft things.

[-] M500@lemmy.ml 10 points 1 year ago

It blows my mind that Windows can be and is so incompetent. If they did not hold the level of market share that they do, that would be out of business.

People are literally locked in because the software is not made for Linux. But Linux keeps marching and getting better.

We have the games, now all we need are a few professional applications and then Windows can easily be replaced.

load more comments (4 replies)

[+] HafizMuhammad@mastodon.social 39 points 1 year ago* (last edited 1 year ago)

[deleted]

[-] arc@lemm.ee 9 points 1 year ago

It’s better to use Whonix or Tails if you want to use TOR browser securely. If I ever had to use Windows again it would not be for anything private.

I'm certain there are people who use Tor in a way that it would make sense to use a secure OS.

But I use Tor to get around stupid public wifis and suchlike that have content blockers. I'm not scared that the police are going to beat the shit out of me so I just use Windows or Android.

[-] brakebreaker101@lemmy.world 6 points 1 year ago

Found the white guy!

load more comments (2 replies)

[-] Omega_Haxors@lemmy.ml 35 points 1 year ago* (last edited 1 year ago)

A little context, one of the larger exit nodes was compromised and would send malware to your computer. The behavior shield probably caught this and correctly marked the program as a trojan, since, by definition, that's literally what it was acting as when connected to that node. More advanced AVs (like malwarebytes) will instead block the malicious connection rather than blanket-banning the entire program.

load more comments (1 replies)

[-] possiblylinux127@lemmy.zip 29 points 1 year ago* (last edited 1 year ago)

Experts believe that the false malware alert is due to the new heuristic detection method used in Microsoft Defender

Fortune tellers are not a replacement for good security!

Any don't use windows for anything private or personal as its under the control of Microsoft. You are just giving it suggestions

[+] histy@lemmy.world 26 points 1 year ago* (last edited 1 year ago)

[deleted]

[-] TheBat@lemmy.world 23 points 1 year ago

This only happens in the latest version btw.

You can still download previous version and replace tor.exe and it works.

load more comments (3 replies)

[-] bandwidthcrisis@lemmy.world 22 points 1 year ago

Windows Defender sucks compared to the original Williams version.

[-] LeeNeighoff@lemmy.world 13 points 1 year ago

Hot take, I see no issue with this. If you're savvy enough to know about Tor and its purpose, you're also savvy enough to know how to add a security exclusion in Defender. People who don't know how to whitelist a program in Defender probably did not install Tor themselves and won't be safe using a program with the capability to access the dark web.

It's extra frustration for those trying to legitimately use Tor, but it's also a safety check in the case of an unintended install.

load more comments (1 replies)

[-] shym3q@programming.dev 11 points 1 year ago

It's funny that recently NetworkChuck uploaded video about darkweb where he installed tor on windows and now apparently many folks did the same.

[-] EndlessApollo@lemmy.world 6 points 1 year ago

Oh no, how will I get my hands on hitmen and cp now?!

[-] Darkenfolk@dormi.zone 7 points 1 year ago

Raid shado- I mean, Nordvpn. Protect your self online, call now to meet lonely VPN providers in your neighborhood looking to protect your data all day all night long.

Technology

Our Rules

Approved Bots