[tor-relays] IP addresses as false positives?

eliaz eliaz at riseup.net
Mon Jan 5 15:36:15 UTC 2015 

grarpamp:
> On Mon, Jan 5, 2015 at 2:30 AM, eliaz <eliaz at riseup.net> wrote:
>> The antivirus program on a machine running a bridge occasionally
>> reports like so:
>>
>>         Object: https://<some IP address>
>>         Infection: URL:Mal [sic]
>>         Process: ... \tor.exe
>>
>> When I track down the addresses I find they are tor nodes (sometimes
>> bridges, sometimes guards, sometimes exits.
>>
>> Are the flagged nodes in some ways miss-configured, or can I consider
>> these to be false positives? Is there anything to worry about here?
>>
>> Detail: The tor and standalone vidalia folders have been flagged as
>> exceptions (i.e. excluded) in the virus scanner. The scanner's web
>> module is picking up the IP addresses from the port traffic.
>>
>> Thanks for any enlightenment - eliaz
> 
> Since the internet is known to be an infected wasteland,
> and exits are known to MITM your streams,

Do you mean my streams in particular or all streams?

> I'd suggest
> either compartmentalizing all your surfing in a disposable
> VM (which should probably be done anyways), or excluding
> web traffic from your scanner.

I run in a dedicated low-power box on my LAN, to save electricity. Is
that as good as a VM?

I've got VMs on the other machine, which is a power hog & not run
continuously.

> Additionally, if you are able to isolate and confirm that
> a specific exit is MITM'ing you (vs the "malware/virus" being
> on the original clearnet site itself) feel free to post its fingerprint
> here so that the workers can double check and dirauths can
> give it the bad exit flag.

I don't know  how to confirm that exits are MITMs. I can post the FPs of
the ones that show up, though. So far all the alerts lead me to
recognizable nodes that show up OK in Atlas, etc.
> 
> Unfortunately Tor doesn't have simple logging format
> that you can watch in real time alongside your scanner.
> I'm finishing a spec ticket for that soon though.

The alerts appear randomly at intervals of several days. The AV program
alert is via a popup, which I can get later by asking the AV to show
last popup. I guess I should get up to speed in wireshark, but it's
gonna result in a monster file by the time it catches anything.
Thanks for writing up the spec, I'll try to follow the conversation.
 - eliaz

More information about the tor-relays mailing list