Delivery-Date: Wed, 17 Jun 2015 04:53:38 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id E773E1E0A94;
	Wed, 17 Jun 2015 04:53:34 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 386CE3641E;
	Wed, 17 Jun 2015 08:53:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 4E42A3640B
 for <tor-talk@lists.torproject.org>; Wed, 17 Jun 2015 08:53:26 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id fNiOTSAQwgRR for <tor-talk@lists.torproject.org>;
 Wed, 17 Jun 2015 08:53:26 +0000 (UTC)
Received: from mail.lapsedordinary.net (thinksmall.vps.bitfolk.com
 [85.119.83.85])
 by eugeni.torproject.org (Postfix) with ESMTP id 21FCA363F1
 for <tor-talk@lists.torproject.org>; Wed, 17 Jun 2015 08:53:26 +0000 (UTC)
X-Greylist: delayed 553 seconds by postgrey-1.34 at eugeni;
 Wed, 17 Jun 2015 08:53:26 UTC
Received: by mail.lapsedordinary.net (Postfix, from userid 1000)
 id 82F9834C92; Wed, 17 Jun 2015 08:44:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lapsedordinary.net;
 s=mail; t=1434530648;
 bh=LYjA24qr5yeXZXogsGLy9pU/frBs+JCZOCi9ZvY12Ug=;
 h=Date:From:To:Subject:Message-ID:References:MIME-Version:
 Content-Type:In-Reply-To;
 b=Uj5VlV7v6l6waNnbVPeXbfyMKU4caO1PErkZ8p+T4CG9GIJonj5fzjjV8thpR1tIr
 379toQ2MPSdczdn8c2mSMExvE+5SR4dQRrLcgDiTXs5ZdQSYjYIJVFZg3MqIE/gf85
 w6okdtAdUVi8wdH5Kz3TsPCOq/cBrSMK+qT1Mb+U=
Date: Wed, 17 Jun 2015 08:44:08 +0000
From: Martijn Grooten <martijn@lapsedordinary.net>
To: tor-talk@lists.torproject.org
Message-ID: <20150617084408.GA4353@lapsedordinary.net>
References: <55802A0B.4000409@riseup.net> <55804EC0.7040901@gmail.com>
 <20150616172156.GC7957@moria.seul.org>
MIME-Version: 1.0
In-Reply-To: <20150616172156.GC7957@moria.seul.org>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [tor-talk] Panda antivirus now thinks Tor.exe is a virus
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6024064303221458779=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============6024064303221458779==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP"
Content-Disposition: inline


--5mCyUwZo2JvN/JJP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Jun 16, 2015 at 01:21:56PM -0400, Roger Dingledine wrote:
> The behavior detection aspect is especially vexing here -- many antivirus
> tools have a "Not enough of our users have told us about this exe yet,
> therefore it is scary by default" feature.

There's also the simple fact that "an executable with a Tor client built
in" is more likely than not malicious: a lot of modern malware uses Tor
for C&C.

Things could be worse - though I'm not sure if this happens - if malware
downloaded the legitimate tor.exe on the side.

Have you reached out to AV vendors and see if this issue could be
solved? They might be willing to whitelist the executable.

(FYI, I pinged someone at Panda about this particular issue and they'd
look into it.)

Martijn.


--5mCyUwZo2JvN/JJP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJVgTNYAAoJEI5dMs9dIv8Z4rYH/21U7b3wfGP44F+GXDNaiXap
RpFuKIwCMmby5VAejmkKnxeE4fNqtOwFCU/hxDpDY8wYXk4PDx8bFSYMx2egTkAv
Zl5rJraxmt2ahpsSd6NiGCMKj2XaoZwj08OqZKYxdyRTfjVyuP/R5gGhWQ4b/KKn
u/zUZeFTAkd0unRzLZ18KICgvQJBkHJAMBokCtsXFkxAp5XhEmQdAf5x0qXPgYiG
kF4ttD/JMe/b9EsJDiCDioEFYPOyRtG7IVI/TPrpC/erJUq9MElqak4ip2GQzsVg
Sa+YYPd5hh8x5ZosZ5DacqkQNHWjylXEV4CMWCBfXZcI4aPrVZaFiilNsOR6GCc=
=BJAM
-----END PGP SIGNATURE-----

--5mCyUwZo2JvN/JJP--

--===============6024064303221458779==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============6024064303221458779==--

