On Mon, Jan 5, 2015 at 2:30 AM, eliaz eliaz@riseup.net wrote:
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https://<some IP address> Infection: URL:Mal [sic] Process: ... \tor.exe
When I track down the addresses I find they are tor nodes (sometimes bridges, sometimes guards, sometimes exits.
Are the flagged nodes in some ways miss-configured, or can I consider these to be false positives? Is there anything to worry about here?
Detail: The tor and standalone vidalia folders have been flagged as exceptions (i.e. excluded) in the virus scanner. The scanner's web module is picking up the IP addresses from the port traffic.
Thanks for any enlightenment - eliaz
Since the internet is known to be an infected wasteland, and exits are known to MITM your streams, I'd suggest either compartmentalizing all your surfing in a disposable VM (which should probably be done anyways), or excluding web traffic from your scanner.
Additionally, if you are able to isolate and confirm that a specific exit is MITM'ing you (vs the "malware/virus" being on the original clearnet site itself) feel free to post its fingerprint here so that the workers can double check and dirauths can give it the bad exit flag.
Unfortunately Tor doesn't have simple logging format that you can watch in real time alongside your scanner. I'm finishing a spec ticket for that soon though.