Windows Defender Accidentally Flags Tor Browser as a Trojan

On September 30th, Microsoft Defender began deleting instances of Tor Browser from users' PCs. The antivirus tool falsely identified Tor Browser as a “Win32/Malgent!MTB” trojan. Microsoftconfirmsthat this was a false-positive and has removed Tor Browser from the latest Defender signature database (version 1.397.1910.0). You may nowupdate Microsoft Defenderand reinstall Tor Browser (orrestore it from quarantine).

This false-positive occurred during theTor Browser version 12.5.6rollout. Microsoft Defender mistook the browser’s automatic update for a trojan, which isn’t totally unsurprising. Some trojans use onion routing to mask their activity, and tampered versions of the Tor Browser are somewhat common (which is why you should only download the browser throughofficial channels). Oddly, Microsoft Defender did not flag 32-bit versions of the Tor Browser. And, as a moderator on the Tor Project forum explains, tor.exe 12.5.6 isa byte-for-byte duplicateof the previous 64-bit release.

False positivesare nothing newfor the Tor Browser. It’s regularly flagged as malware by antivirus tools. Still, the Tor Project took its time when evaluating this situation. The Tor Project’s slow responsefrustrated some users, but it was the right choice. Tor Browser is associated with malicious activity and hasbeen targeted by hackersin the past, so any claims of malfeasance should be taken seriously.

Also, it’s hard to criticize Microsoft Defender for making a mistake. But we hope that Microsoft improves the accuracy of its detection software. False positives could set a poor precedent for inexperienced or impatient users, who may wrongfully assume that Tor Browser is immune to malicious attacks. If you were affected by this situation, I hope that you act with patience in the future, and I suggest that you learn toverify your Tor Browser installation. You may also useVirusTotalto scan future Tor Browser installations.

To reiterate, Tor Browser is excluded from the updated Microsoft Defender signature database (version 1.397.1910.0). You can manuallyupdate Microsoft Defenderif needed, though it should update automatically within the next 24 hours. Once that’s done, reinstall Tor Browser from theofficial websiteorrestore Tor Browser from quarantinethrough your Command Prompt.