Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware

Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware

Win32/Malgent!MTB is a generic detection that Microsoft Defender uses to identify Trojans that are designed to perform a variety of malicious actions on a computer.

The detection of Tor browser’s latest version as Win32/Malgent!MTB malware is likely a false positive.

Microsoft Defender, a popular antivirus program, is apparently falsely flagging Tor Browser as Win32/Malgent!MTB malware. This is causing concern for users who rely on the Tor Browser to protect their privacy and security.

Tor Browser is a free and open-source web browser that uses the Tor network to anonymize browsing traffic. This makes it a popular choice for users who want to protect their privacy online.

Microsoft Defender is detecting the latest version of Tor Browser as malware because it is using a new heuristic detection method that is designed to identify Trojans that use Tor to hide their activity. However, the heuristic method is too broad and also flags the Tor Browser itself as malware.

Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware
Users have been reporting the issue. The first screenshot is from a well-known Russian cybercrime and hacker forum, while the rest of the screenshots were sourced from Reddit (Credit:

What is the heuristic detection method?

Heuristic detection is a method of detecting malware that uses rules and algorithms to identify suspicious behaviour. It is different from signature-based detection, which relies on a database of known malware signatures.

Heuristic detection methods can be very effective at detecting new and emerging malware threats, but they can also generate false positives. This is because heuristic detection methods can sometimes flag benign software as malware.

According to Microsoft, its Defender security solution uses a combination of signature-based and heuristic detection methods to protect users from malware. However, the recent false positive detections of Tor Browser suggest that the heuristic detection method in Microsoft Defender may be too broad.

Win32 Malgent!MTB malware?

Win32/Malgent!MTB is a generic detection that Microsoft Defender uses to identify Trojans that are designed to perform a variety of malicious actions on a computer.

These actions can include downloading and installing other malware, using the computer for click fraud, recording keystrokes and the websites visited, sending information about the computer, including user names and browsing history, to a remote malicious hacker, giving a remote malicious hacker access to the computer and more.

It is important to note that not all detections of Win32/Malgent!MTB are legitimate. It is possible for false positives to occur, especially when Microsoft Defender is using generic detection methods.

Tor Browser and Flase Positive Flagging

While Microsoft has not issued any statement yet, it is expected to release a fix for this issue in a future update to Microsoft Defender. A discussion is already underway on the Tor Project Forums.

Furthermore, although the Tor Project, the organization that develops the Tor Browser, has not yet commented on the issue, they already have a dedicated link addressing anti-malware software and their false positives against the Tor browser. This page states that:

“Some antivirus software will pop up malware and/or vulnerability warnings when Tor Browser is launched. If you downloaded Tor Browser from our main website or used GetTor, and verified it, these are false positives and you have nothing to worry about.”

In the meantime, users who are concerned about being falsely flagged by Microsoft Defender can take the following steps:

  • Download and install the latest version of Tor Browser when available: The latest version of Tor Browser is less likely to be flagged by Microsoft Defender.
  • Download and install the previous version for now: While the latest versions are intended to resolve the issues, users have been reporting that there have been reports of MS Defender detecting issues with the latest version. Therefore, it is advisable to download and install the previous version of the Tor browser (from the official site) until the issue is resolved.
  • Add Tor Browser to the exclusion list in Microsoft Defender: This will prevent Microsoft Defender from scanning Tor Browser for malware.
  • Use a different antivirus program: There are other antivirus programs available that are less likely to flag Tor Browser as malware.
  • Use Brave Browser for now: Brave Browser entered the dark web with its own Tor Onion service in October 2020, enabling users to access .Onion domains directly from the browser.

Nevertheless, if you are using Tor Browser and Microsoft Defender, and you see a notification that Tor Browser is infected with malware, you should not be concerned. This is likely a false positive detection. You can safely ignore the notification and continue using the Tor Browser.

Update 02/10/2023:

Here’s what the Tor Project Support Bot on Telegram had to say about the issue:

We receive numerous messages from our users about Windows Defender's false-postive reaction to the latest browser version. 

Because of that, you may see in Tor Browser:

"Tor Browser couldn’t locate you 

Tor Browser needs to know your location in order to choose the right bridge for you. If you’d rather not share your location, configure your connection manually instead.  

Component returned failure code: 0x804b000d (NS_ERROR_CONNECTION_REFUSED) "

Or you can get a message that Tor is potentially blocked.

First, verify that the Tor Browser you download is the one we have created and has not been modified by some attacker:

After that, try these ways to fix the problem:

Ask Windows Defender to skip the Tor folders (you may have to reinstall your browser). Or release the tor.exe file from quarantine.

Alternatively, you can try installing a 32-bit version of the Tor browser.
  1. Microsoft Declares Ask toolbar as Dangerous Malware
  2. Hackers are using Microsoft Teams chat to spread malware
  3. Microsoft Office Most Exploited Software in Malware Attacks
  4. Microsoft signed a driver called Netfilter, but it contained malware
  5. Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
  6. Windows Defender update caught removing zip, exe, source code files
Related Posts