[tor-relays] IP addresses as false positives?

grarpamp grarpamp at gmail.com
Mon Jan 5 08:24:49 UTC 2015

On Mon, Jan 5, 2015 at 2:30 AM, eliaz <eliaz at riseup.net> wrote:
> The antivirus program on a machine running a bridge occasionally
> reports like so:
>         Object: https://<some IP address>
>         Infection: URL:Mal [sic]
>         Process: ... \tor.exe
> When I track down the addresses I find they are tor nodes (sometimes
> bridges, sometimes guards, sometimes exits.
> Are the flagged nodes in some ways miss-configured, or can I consider
> these to be false positives? Is there anything to worry about here?
> Detail: The tor and standalone vidalia folders have been flagged as
> exceptions (i.e. excluded) in the virus scanner. The scanner's web
> module is picking up the IP addresses from the port traffic.
> Thanks for any enlightenment - eliaz

Since the internet is known to be an infected wasteland,
and exits are known to MITM your streams, I'd suggest
either compartmentalizing all your surfing in a disposable
VM (which should probably be done anyways), or excluding
web traffic from your scanner.

Additionally, if you are able to isolate and confirm that
a specific exit is MITM'ing you (vs the "malware/virus" being
on the original clearnet site itself) feel free to post its fingerprint
here so that the workers can double check and dirauths can
give it the bad exit flag.

Unfortunately Tor doesn't have simple logging format
that you can watch in real time alongside your scanner.
I'm finishing a spec ticket for that soon though.

More information about the tor-relays mailing list