Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#20708 closed defect (not a bug)

Baidu Anti-TBB or TBB Trojanic upgrade

Reported by: agentchaos Owned by: asn
Priority: Very High Milestone:
Component: Circumvention/Pluggable transport Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

hi there i was running TBB 6.5a3 inside windows 8.1 and i have baidu anti-virus running inside it.

then i upgraded TBB to 6.5a4 , then this is what happened:-

baidu detected that there are viruses going to be downloaded by doing this upgraded so baidu blocked them. the weird thing that the upgrade continues and TBB worked !! even tho there r some parts of it has been deleted.

here is what Baidu thought that there r trojans:-

1- Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\terminateprocess-buffer.exe

2- Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\meek-client-torbrowser.exe

3- Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\meek-client.exe

4- Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\obfs4proxy.exe

all of these categorized under one umbrella (reason behind deletion):-

Trojan.Crypt.Heur.gen

what is the dangerous things that i think i found in here :-

1- which one is correct regarding false security Baidu or TBB upgrade ?

2- TBB kept working and ignoring the reality that there r some parts of it have been removed !! , which mean any edit/modify/remove in TBB installed files/parts there will be no signals to know that. (unless its obvious like my case).

i think the best thing to do , is to have an enhancement to avoid TBB files corruption, like for e.g most anti-viruses have "

Self-Defense

https://blog.kaspersky.com/tip-of-the-week-what-is-antivirus-self-defense/3936/"

good thing this is happened in TBB alpha. any further Questions , help just ask. thnx

Child Tickets

Attachments (1)

tbba1.png (399.7 KB) - added by agentchaos 3 years ago.

Download all attachments as: .zip

Change History (4)

Changed 3 years ago by agentchaos

Attachment: tbba1.png added

comment:1 Changed 2 years ago by nickm

Milestone: Tor: 0.2.9.x-final
Version: Tor: 0.2.9.5-alpha

comment:2 Changed 2 years ago by dcf

This is an error by the anti-virus program. It happens frequently with newly released versions of Tor Browser. Please see this FAQ entry:

https://www.torproject.org/docs/faq.html.en#VirusFalsePositives

Sometimes, overzealous Windows virus and spyware detectors trigger on some parts of the Tor Windows binary. Our best guess is that these are false positives — after all, the anti-virus and anti-spyware business is just a guessing game anyway. You should contact your vendor and explain that you have a program that seems to be triggering false positives. Or pick a better vendor.

What the four programs you listed all have in common is that they are written in the Go programming language. Other parts of Tor Browser are written in other programming languages. This anti-virus seems to have a bug that causes it to mark Go programs as malware. Those programs are only used when you activate pluggable transports. If you don't use meek or obfs4, then Tor Browser will work without them.

comment:3 Changed 2 years ago by gk

Resolution: not a bug
Status: newclosed

I agree with dcf resolving this as not our bug.

Last edited 2 years ago by gk (previous) (diff)
Note: See TracTickets for help on using tickets.