On September 30th, Microsoft Defender began deleting instances of Tor Browser from users’ PCs. The antivirus tool falsely identified Tor Browser as a “Win32/Malgent!MTB” trojan. Microsoft confirms that this was a false-positive and has removed Tor Browser from the latest Defender signature database (version 1.397.1910.0). You may now update Microsoft Defender and reinstall Tor Browser (or restore it from quarantine).
This false-positive occurred during the Tor Browser version 12.5.6 rollout. Microsoft Defender mistook the browser’s automatic update for a trojan, which isn’t totally unsurprising. Some trojans use onion routing to mask their activity, and tampered versions of the Tor Browser are somewhat common (which is why you should only download the browser through official channels). Oddly, Microsoft Defender did not flag 32-bit versions of the Tor Browser. And, as a moderator on the Tor Project forum explains, tor.exe 12.5.6 is a byte-for-byte duplicate of the previous 64-bit release.
False positives are nothing new for the Tor Browser. It’s regularly flagged as malware by antivirus tools. Still, the Tor Project took its time when evaluating this situation. The Tor Project’s slow response frustrated some users, but it was the right choice. Tor Browser is associated with malicious activity and has been targeted by hackers in the past, so any claims of malfeasance should be taken seriously.
Also, it’s hard to criticize Microsoft Defender for making a mistake. But we hope that Microsoft improves the accuracy of its detection software. False positives could set a poor precedent for inexperienced or impatient users, who may wrongfully assume that Tor Browser is immune to malicious attacks. If you were affected by this situation, I hope that you act with patience in the future, and I suggest that you learn to verify your Tor Browser installation. You may also use VirusTotal to scan future Tor Browser installations.
To reiterate, Tor Browser is excluded from the updated Microsoft Defender signature database (version 1.397.1910.0). You can manually update Microsoft Defender if needed, though it should update automatically within the next 24 hours. Once that’s done, reinstall Tor Browser from the official website or restore Tor Browser from quarantine through your Command Prompt.