Microsoft Defender will finally stop claiming Tor is malware

Illustration about 'Darknet', logo of the Tor Browser, which provides access to the Darknet. Binary codes are shown in the background
(Image credit: Photo by Florian Gaertner/Photothek via Getty Images)

Tor has confirmed that Microsoft Defender will no longer wrongly flag the alternative browser as malware after a battle with Microsoft to get the story straight.

The problem stems from TorBrowser 12.5.6, which contains an executable file that Defender deemed unsafe, but a Tor spokesperson said that the file was actually unchanged byte-for-byte compared with version 12.5.5.

Affected users were having the tor.exe file flagged as a trojan (“Win32/Malgent!MTB”) and were unable to use the software.

Microsoft will let you use the Tor browser again

In the meantime, some users were reporting success in reinstalling the previous build, which was not seemingly triggering Windows Defender’s trojan response.

Compared with Tor version 12.5.5, build 12.5.6 added just a couple of security tweaks including backporting security fixes from Firefox 115.3.1 to 102.15.1.

It took Tor contacting Microsoft to get it working correctly again. By sharing the .exe file with Redmond, Tor was told:

“At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed.”

The update reads: “If your TorBrowser stopped working during this weekend, make sure your Windows Defender is up to date, and either unquarantine tor.exe, or reinstall TorBrowser by downloading it from [the] Tor Project website.”

The latest signature database (1.397.1910.0) is no longer considering the tor.exe file to be a problem.

A Microsoft spokesperson told TechRadar Pro in an email:

"Because the Tor.exe software is used for both illegitimate and legitimate use, it’s not trivial to determine whether its presence in any particular situation is safe or unsafe. Detections where Tor.exe is concerned usually covers the malicious behaviors or other indicators of compromise surrounding usage of the application (tor.exe) and not on Tor.exe itself. In this case, it was determined as a false positive detection and we have released a security intelligence update to fix the issue."

More from TechRadar Pro

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!