[KTS19] detecting [BraveSoftware][tor-0.3.4.9-win32-brave-0]

bug

#1

Brave version 0.58.16 Chromium: 71.0.3578.98 (Official Build) (64-bit)
Win10x64, 1809
KTS 19.0.0.1088(d)

[KTS19] detecting [BraveSoftware][tor-0.3.4.9-win32-brave-0]
.
Detection: not-a-virus:NetTool.Win32.TorJok.bag

File: 9-WIN32-BRAVE-0 (12mb)
SHA256 0373236D29A866642A51117CD61D507EEAD2B1C37707C960C4CB71EAD6DF3C95

Resides: C:\Users\xxxx\AppData\Local\BraveSoftware\Brave-Browser\User Data\cpoalefficncklhjfpglfiplenlpccdb\1.0.3

Have escalated to Kaspersky Support, this past week they fixed a Brave Installer false positive.


Kaspersky [KTS19(d)] detecting Brave Installer as malware: PDM:Trojan.Win32.Generic
#2

Hmmm:
https://www.virustotal.com/#/file/0373236d29a866642a51117cd61d507eead2b1c37707c960c4cb71ead6df3c95/detection - seems the object is being detected by quite a few engines :thinking:

If anyone has any comments/info, would be most gratefully received please…

Thanks.


#3

Is there anyone from Brave Support or Brave Community who’d be kind enough please to let me know what is the function of [tor-0.3.4.9-win32-brave-0]?


#4

Hi @SNAFU_MIG,
Thanks for reporting.

It’s a known false positive. We’ve heard similar reports before and the team is in contact with Kaspersky team to whitelist Brave.

I think they detect the Tor that integrated to Brave for “Private tab with Tor”.

Thanks
:slightly_smiling_face:


#5

Hello Eljuno,
Thanks so much for replying, I was thinking I’d posted in the wrong place.
I do know it’s a false positive and I have logged it with Kaspersky.

Would you be kind enough to advise please Is [tor-0.3.4.9-win32-brave-0] an executable file?

Thank you,
Cheers.


#6

Hello Brave Support/ Brave community,
Could somebody please kindly take a moment to answer the question:

Is [tor-0.3.4.9-win32-brave-0] an executable file?

Many thanks,
Cheers.


#7

Apologies for late response @SNAFU_MIG.

I think Tor will only run if you using Private window with Tor. cc @Mattches @sriram for confirmation.


#8

Hello Eljuno,
Thank you for replying, unfortunately I do not understand “Tor will only run if you using Private window”, Sorry!
As far as I can see My Brave settings are set to highest privacy.
The question Is [tor-0.3.4.9-win32-brave-0] an executable file?, from what I can gather from your answer, is yes; however; now that you’ve said “Tor will only run if you using Private window”, poses the next question, how can I verify this?

I’d be very grateful for clarifications, answers please if you’d be so kind.
Many thanks & cheers.


#9

@SNAFU_MIG,
What he means is that, with respect to Brave, Tor functionality only initiates (that is, you’re only tunneled through the Tor network) when opening a “Private Window with Tor” in Brave.
You can open this window from the main menu:


#10

Hello Mattches,
Thanks!!! As I’m engaged with K on this issue & as K have given conflicting information, these clarifications are gold.
I’ve just tested the (Brave)(Tor) window, so that’s good, proves monkeys can learn :grin: , however, it’s generated a Brave certificate issue> “The certificate chain is not complete” this is a Brave issue, not Kaspersky.

I’m happy to log a separate [Brave] case if that’s what’s desired. Please let me know?

Regarding Kaspersky continuing to blacklist the Tor, I’ll post their information here after 13:00 today.

Thanks again,
Cheers.


#11

Hmm, what Kaspersky has written I don’t believe I should write here, suffice to say they appear to have no intention of re-classifying [tor-0.3.4.9-win32-brave-0].
So, utilizing their software, which is where the detection is reported, I deleted [tor-0.3.4.9-win32-brave-0], and then tested Brave Tor, it works without issue.
So my question to Brave Support is:

  • List item

What is the function of the [tor-0.3.4.9-win32-brave-0] object?
If the Brave Tor Browser works without [tor-0.3.4.9-win32-brave-0] & if it’s continuing to be detected by 7 engines

why have the object [tor-0.3.4.9-win32-brave-0] at all?

Thanks in advance.


#12

Tor is a tool for anonymizing network connections. That means it’s used in tools designed to protect your privacy (like Brave and Tor Browser), and also in malware which wants to hide its command-and-control infrastructure. If these AV vendors are classifying the standard Tor binary as a threat, that’s a false positive, and they should fix it.

Not sure what’s happening when you try to use private windows with Tor after deleting the Tor binary. What happens when you visit https:/check.torproject.org after deleting the Tor binary?


#13

Hello Tom,
Thank you, it’s great to get some feedback.
Kaspersky are adamant - object [tor-0.3.4.9-win32-brave-0] will not be categorized (by Kaspersky) as a false-positive.
What’s confusing is there are multiple BraveForum posts where Brave have advised Brave are actively pursuing the issue with Kaspersky, those posts go back months, no resolution, issue continues to occur.
I deleted the original [tor-0.3.4.9-win32-brave-0] more than a week ago.
(private windows with Tor after deleting the Tor binary) :arrow_right: Brave continued to function normally. My question to the Brave experts/community was/is: what’s the point of the object if the Brave works without it? Surely, if it has no critical function, logically, I would think, Brave would be keen to get rid of it, due to the detections, by Kaspersky & the other AV providers.
I’ve just checked C:\Users\xxxxx\AppData\Local\BraveSoftware\Brave-Browser\User Data\cpoalefficncklhjfpglfiplenlpccdb\1.0.4, [tor-0.3.4.9-win32-brave-0] is back.
And, Kaspersky continues to detect.
So deleting [tor-0.3.4.9-win32-brave-0] doesn’t work.
Conclusion:
(imo) Brave Technical Support need to address this issue🤔
Cheers.


#14

If it’s true that Kaspersky have firmly decided that Tor is malware, they are mistaken. That’s not something that they’ve said to us directly yet though — we’re still going through their slow process of submitting a false-positive report. However, if that really is the final answer from them, there’s nothing that we (Brave) can do about it.

The Tor binary in Brave is used when you open a private window with Tor. If you delete the Tor binary, then private windows with Tor won’t work. But everything else will still work — for now. We intend to use Tor to anonymize more of the behind-the-scenes network connections that Tor makes. So in future, more features will rely on the Tor binary.


#15

Kaspersky’s communications with me:

From: Kaspersky Lab Support customerservicesolution@kaspersky.com
Sent: Friday, 4 January 2019 09:31
Subject: Kaspersky Lab Technical Support - ID INC000009990560

The brave file detection cannot be compared to other false positives.
It is a correct detection in which the file is found to contain a powerful and dangerous tool.
The purpose is to highlight that there is a dangerous tool installed.
If it is not installed by the user, then it is recommended to have it removed.

My communications with Kaspersky:

  1. [Brave (new) Private window with Tor], is “installed” automatically by Brave users, as a default: it comes pre-packaged with Brave.
  2. [Brave (new) Private window with Tor], cannot be removed.
  3. Removing [tor-0.3.4.9-win32-brave-0] object does not work, the object “returns”, Kaspersky continues to detect.

Tom,
to confirm I’m on the track; referring to the attached image,
a) is this the ONLY way to access [Brave (new) Private window with Tor]? [marked with green dot]
b) [tor-0.3.4.9-win32-brave-0] object exists (in C:\Users\xxxx\AppData\Local\BraveSoftware\Brave-Browser\User Data\cpoalefficncklhjfpglfiplenlpccdb\1.0.4) without activating [Brave (new) Private window with Tor],
c) [Brave (new) Private window with Tor] works even AFTER [tor-0.3.4.9-win32-brave-0] has been removed.

Re (b & c) if BnPWwT - works even when/after the object has been deleted/removed, what is the function/purpose/point of the object [tor-0.3.4.9-win32-brave-0]?

If this specific object is not critical to the function/use of [Brave (new) Private window with Tor] why have it?


#16

Apologies Tom, I missed [What happens when you visit https:/check.torproject.org after deleting the Tor binary?], this is the result:

:slightly_frowning_face:
So, just to rehash, when I access [New private window with Tor] from the Brave browser, I have full access.
Performing [https:/check.torproject.org] check, from Brave browser & from Brave [New private window with Tor] browser results in "Sorry. You are not using Tor.":thinking: