[tor-relays] IP addresses as false positives?

eliaz eliaz at riseup.net
Mon Jan 5 16:15:11 UTC 2015

> On Mon, Jan 5, 2015 at 3:33 AM, Kura <kura at kura.io> wrote:
>> I would say that maybe it's a possibility that traffic gets
>> flagged as such too?
>> ...
>> antivirus [...] one that does
>> traffic inspection
> Oh, well that could be too. Tor traffic is crypted/obfuscated
> and thus could generate a random hit that AV points at the
> Tor binary as responsible for.
> But the OP is getting URL's from AV so it may be
> watching his localhost SOCKS for http streams.

This may perhaps help: Running the bridge I regularly get:

[Warning] Rejecting SOCKS request for anonymous connection to private
address [scrubbed]. [1 similar message(s) suppressed in last 300 seconds]

I can't unscrub these msgs (SafeLogging doesn't seem to work for tor
4.0.2 and standalone vidalia.) I haven't been able to track down the
processes involved. Since they're private, I assume they're broadcasts &
so ignore them. There some conversations about this on one  of the
lists some time ago, and the advice was to ignore.

> What's weird is OP's "Object" is https://, which is
> not terminated to plaintext anywhere but in the browser
> or tor.
> Perhaps not enough info.
>> machine, AVG reported that tor.exe was a possible virus and removed it, this
>> also happened when we tested the Tor Vidalia bundle. This was simply a
>> filesystem check though, rather than packet/traffic inspection. It was also
>> very recent, within the last week.
> Gratuitous listing by AVG perhaps?
>> On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote:
>>> The antivirus program on a machine running a bridge occasionally
>>> reports like so:
>>> Object: https://
>>> Infection: URL:Mal [sic]
>>> Process: ... \tor.exe

More information about the tor-relays mailing list