Silk Road forums

Discussion => Security => Topic started by: LowWaterGate on January 28, 2012, 09:37 am

Title: Tor Worms: False Positives?
Post by: LowWaterGate on January 28, 2012, 09:37 am
I just installed Prevx v3.0.5.220 and its initial malware scan ID'd a dozen worms, all in the 2 address folders named:  "tor browser v.2.2.35-4" & "tor browser v.2.2.35-3" .

They were executables as follows:

testopen.exe
testserve.exe
testfile.exe
testpipe.exe
certutil.exe
readntim.exe

The 6 were duplicated in each folder for a total of twelve.  I'm 99% certain that they are false positives.  I'd love to hear from a tor mod/expert re any wormesque problems they've seen attributable to the aforementioned files.

Thanks for reading.

LowWater
Title: Re: Tor Worms: False Positives?
Post by: randomOVDB#2 on January 28, 2012, 09:55 am
If you have downloaded it from the Tor website you're probably good.

Double check:
http://www.wilderssecurity.com/showthread.php?t=268723
Title: Re: Tor Worms: False Positives?
Post by: LowWaterGate on January 28, 2012, 04:32 pm
randomOVDB#2,

Thanks for taking the time to think about my dilemma.  I read your Wilder's thread and sent my Prevx log off to report@prevxresearch.com (just in case).  Having downloaded the browser from https://www.torproject.org/ I'm not too worried but I'm a security freak.  Anyway . . .

Take Care,
LowWater
Title: Re: Tor Worms: False Positives?
Post by: supersecretsquirrel on January 29, 2012, 03:05 am
I just installed Prevx v3.0.5.220 and its initial malware scan ID'd a dozen worms, all in the 2 address folders named:  "tor browser v.2.2.35-4" & "tor browser v.2.2.35-3" .

There have been issues with Prevx in the past (not only does it flag Tor as malware, it can also cause your computer to reboot whenever you try to start Tor), and I recommend that you switch to something else. I would also recommend that you start verifying the GnuPG signature of the TBB that you download from the Tor Project website, just to make sure that you're getting the real version of the software.
Title: Re: Tor Worms: False Positives?
Post by: MJAvenger on January 30, 2012, 07:46 am
Could someone please upload the signed hash of the latest Tor Browser Bundle for Linux?
Title: Re: Tor Worms: False Positives?
Post by: LowWaterGate on January 30, 2012, 03:24 pm
supersecretsquirrel,

Thanks for your reply.  I sent a similar email to Prevx' Tech Support.  We'll see.  Oh, what does TBB stand for?

Take Care,
LowWater
Title: Re: Tor Worms: False Positives?
Post by: fastcat on January 30, 2012, 04:23 pm
Oh, what does TBB stand for?

Tor Browser Bundle
Title: Re: Tor Worms: False Positives?
Post by: supersecretsquirrel on January 31, 2012, 02:49 pm
Could someone please upload the signed hash of the latest Tor Browser Bundle for Linux?

I recommend that you get the signature (.asc file) directly from the Tor Project website and verify it yourself. Don't trust anyone on SR to do it for you.
Title: Re: Tor Worms: False Positives?
Post by: LowWaterGate on January 31, 2012, 04:01 pm
supersecretsquirrel,

Thanks for the reply.  Unfortunately, you just transcended my understanding of software security.  would asc be the ascii file?  Prevx though they were false positives (after a million uninstall/install/delete/reinstalls and given that I downloaded my "TBB" directly from the Tor site, I simple tagged those six offending files as false positives.

Again, please point me toward the .asc file and  one more question.  Do I just look for those six files on an *.asc list somewhere?  Excuse my naivete.

Take Care,
LowWater
Title: Re: Tor Worms: False Positives?
Post by: supersecretsquirrel on January 31, 2012, 10:15 pm
Thanks for the reply.  Unfortunately, you just transcended my understanding of software security.  would asc be the ascii file?  Prevx though they were false positives (after a million uninstall/install/delete/reinstalls and given that I downloaded my "TBB" directly from the Tor site, I simple tagged those six offending files as false positives.

Again, please point me toward the .asc file and  one more question.  Do I just look for those six files on an *.asc list somewhere?  Excuse my naivete.

Here's what you need to do: go to the Tor Project website and download the latest Tor Browser Bundle for whatever operating system you are running. Make sure you also download the signature file (the one with a filename ending in .asc). You can then use both files (the executable plus the signature) to verify that no one has tampered with the package you just downloaded.

Once that's done, go ahead and extract the archive and run Tor as normal. If Privex is still bitching about malware, turn it off or simply uninstall and install something better.
Title: Re: Tor Worms: False Positives?
Post by: LowWaterGate on February 01, 2012, 12:48 pm
Supersecretsquirrel, thanks.

You gave me the same advice as Tor's tech support.  To make a long story short they were false positives and I whitelisted them so that Prevx doesn't bitch every fifteen minutes.  Considering I run Eset NOD32 and Malwarebytes and have been for years, I was a bit surprised that only Prevx was sensitive enough to find a simple worm.

Again, thanks for all your help.  From my still uninfected computer -

Take Care,
LowWater