[tor-relays] IP addresses as false positives?

Kura kura at kura.io
Mon Jan 5 08:33:56 UTC 2015

Some thing to take in to account as well is that some AVs are known to flag Tor as a virus, I would say that maybe it's a possibility that traffic gets flagged as such too? I've never used an antivirus, let alone one that does traffic inspection so obviously this is conjecture on my part.

As an example, when I helped a friend set-up Tor Browser on his Windows machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week.


t: @kuramanga [https://twitter.com/kuramanga]
w: https://kura.io/ [https://kura.io/]
g: @kura [http://git.io/kura]
On 05/01/2015 08:25:11, grarpamp <grarpamp at gmail.com> wrote:
On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote:
> The antivirus program on a machine running a bridge occasionally
> reports like so:
> Object: https://
> Infection: URL:Mal [sic]
> Process: ... \tor.exe
> When I track down the addresses I find they are tor nodes (sometimes
> bridges, sometimes guards, sometimes exits.
> Are the flagged nodes in some ways miss-configured, or can I consider
> these to be false positives? Is there anything to worry about here?
> Detail: The tor and standalone vidalia folders have been flagged as
> exceptions (i.e. excluded) in the virus scanner. The scanner's web
> module is picking up the IP addresses from the port traffic.
> Thanks for any enlightenment - eliaz

Since the internet is known to be an infected wasteland,
and exits are known to MITM your streams, I'd suggest
either compartmentalizing all your surfing in a disposable
VM (which should probably be done anyways), or excluding
web traffic from your scanner.

Additionally, if you are able to isolate and confirm that
a specific exit is MITM'ing you (vs the "malware/virus" being
on the original clearnet site itself) feel free to post its fingerprint
here so that the workers can double check and dirauths can
give it the bad exit flag.

Unfortunately Tor doesn't have simple logging format
that you can watch in real time alongside your scanner.
I'm finishing a spec ticket for that soon though.
tor-relays mailing list
tor-relays at lists.torproject.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150105/ffaa064c/attachment.html>

More information about the tor-relays mailing list