Microsoft Defender Flags Tor Browser as a Trojan and Removes it from the System

Windows users have recently begun mass-reporting that Microsoft’s Defender antivirus program, which is integrated into Windows 10 and 11 by default, is flagging the latest version of the Tor browser as “Win32/Malgent!MTB” malware.

For those who don’t know, Tor Browser is a free, open-source software that uses onion routing to browse the Internet anonymously. It’s essentially a must-have for those wanting to ensure their online privacy.

Experts believe that the false malware alert is due to the new heuristic detection method used in Microsoft Defender. This method is designed to identify Trojans that use Tor to hide their activity. However, it seems that Defender does not limit itself to Trojans, but marks Tor itself as malicious.

Tor false-positive malware
Credit: Tor Browser Forum

In general, a heuristic detection method is a malware detection method that uses predefined rules and algorithms to identify suspicious behavior. It differs from signature-based detection, which relies on a specific database of known malware. While heuristic methods can be effective in detecting new threats, they can also often lead to false positives.

Tor representatives advised users to check if the browser was installed from the official website. If a legitimate official source was used for the download, the Defender warning should be perceived as false.

In addition, the developers recommended adding Tor to Microsoft’s protection software exclusion list and restoring “tor.exe” from quarantine if Defender affected Tor’s operation. Microsoft has not made an official statement on the issue at the time of writing this.