AV flags a suspicious connection when launching Tor Browser

Support Tor Browser Desktop
1

Hello Everyone.
I launched my Tor client and when it connected to Tor network my AV flagged a suspicious connection from tor.exe. I haven’t yet opened any web pages at this point. My AV is Bitdefender, free version.
The URL it tried to connect to is weird. VirusTotal says only Bitdefender and G-Data flags it as malicious.
What’s even more weird is that the domain is not registered and can not be resolved to an ip adress.
Can someone shade some light on this issue?

Capture d’écran 2023-03-16 010538
Capture d’écran 2023-03-16 010538907×293 7.83 KB

  • OS Windows 10
  • Tor Browser version 12.0.3
  • Tor Browser Security Level SAFER
  • Step by step of how you got to the issue, so we can reproduce it
    Happened only once, couldn’t reproduce but another user reported same issue on Reddit. The only difference is that the other user was using Whonix.
  • The Tor log
    Sorry, I hadn’t the reflex to check for logs at this time :frowning:
2

Capture d’écran 2023-03-29 104443
Capture d’écran 2023-03-29 104443910×283 30.2 KB

Happaned again, another domain. Didn’t notice the notification at first so didn’t check logs.
It happened after I reinstalled a fresh client

3

And another one:

Capture d’écran 2023-03-29 193937
Capture d’écran 2023-03-29 193937911×277 26.8 KB

This times I looked at Logs:

2023-03-29 17:21:04.588 [NOTICE] New control connection opened from 127.0.0.1.
2023-03-29 17:21:04.588 [NOTICE] New control connection opened from 127.0.0.1.
2023-03-29 17:21:04.591 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2023-03-29 17:21:05.053 [NOTICE] Opening Socks listener on 127.0.0.1:9150
2023-03-29 17:21:05.053 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150
2023-03-29 17:21:05.622 [NOTICE] Bootstrapped 5% (conn): Connecting to a relay
2023-03-29 17:21:05.657 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
2023-03-29 17:21:05.710 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay
2023-03-29 17:21:05.763 [NOTICE] Bootstrapped 15% (handshake_done): Handshake with a relay done
2023-03-29 17:21:05.765 [NOTICE] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
2023-03-29 17:21:05.767 [NOTICE] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
2023-03-29 17:21:05.769 [NOTICE] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
2023-03-29 17:21:05.976 [NOTICE] Bootstrapped 100% (done): Done
2023-03-29 17:21:06.936 [NOTICE] New control connection opened from 127.0.0.1.
2023-03-29 17:32:51.573 [NOTICE] Have tried resolving or connecting to address '[scrubbed]' at 3 different places. Giving up.
2023-03-29 17:33:08.171 [NOTICE] New control connection opened from 127.0.0.1.
4

Tor generates a random fake hostname like www.[4–25 random letters].com every time it connects to a relay. This is the place in the code where it happens. There’s no technical requirement for the random hostnames—neither the client nor the relay resolves the name or does anything else with it—it’s just there to make Tor’s TLS look a little bit more like web browsers’ TLS in the hopes of making Tor harder to censor. Tor started doing that in version 0.2.1.1-alpha in 2008. That was a time before pluggable transports. Today, pluggable transports are a better way to protect Tor TLS connections from being blocked. You can read more at the TLSHistory wiki page.

I don’t know why the AV has decided that some of these random fake hostnames look like a threat. Maybe Tor randomly generated a name that was used for malware in the past. Maybe the AV is using some simple pattern-matching rule (all your examples have 5 random characters). But what you’re seeing is expected behavior.

1 Like
5

Thank you for your replly.

I will take a look at links provided.
At least the second flagged domain looks indeed like being used for malware

6

My suggestion would be to stop using Windows (which I consider malware provided by a convicted monopoly) and try Tails.

7

Moving to a Linux distro is good for security (mostly) but completely foreign in terms of use, available software and comparability with other operating systems. Linux is lacking in features too; for instance you can have something as intricate as Adobe Photoshop on Windows and yet in Linux you are stuck with GIMP.

1 Like
9

It’s you, who started it.
And you, who revived topic after month of inactivity.

10

@Vort:

“It’s you, who started it.”

Hello there, Vort. I hope you are well. Thank you for the pleasant correction.

English is not my first language and there are times I post when I really should be asleep! :slight_smile:

I assumed I had posted my comment in regards to the exclusive use of Tor on Tails rather than using Tor Browser on Windows. It was not my intention to come across [rather assholish] with the idea of TOTALLY switching from Windows to Linux. So I see now my mistake, thank you. I have decided to remove the offending post.

@Screen:

I sincerely apologize for coming across so strongly and rude when I assumed I was referring only to using Tails in place of Windows/TBB. So often on other forums/mailing lists I encounter users of Windows who go crazy about how how shitty they think Linux is and on and on and derail actively positive threads.

@Vort:

“And you, who revived topic after month of inactivity.”

I apologize. I do not login here as frequently as I used to and I missed the thread and didn’t know there was a response until just recently.

Blessings to both you, Vort, and to you Screen!

1 Like