Norton Anti-Virus detects tor-0.3.5.8-win32-brave-1 as a trojan horse

Description of the issue:
Norton Security Antivirus will flag the latest tor executable in Brave 1.4.95 as a trojan horse virus. It will delete it too. However, tor still works inside brave.
How can this issue be reproduced?

  1. Update to the latest version of Brave
  2. Have Norton Security AV
  3. Norton will delete the file telling the user it was removed because it contained a Trojan Horse.

Expected result:
The executable should not be flagged as a virus (unless it is?)

Brave Version( check About Brave):
1.4.95
Additional Information:
This is the report from Norton:

Filename: tor-0.3.5.8-win32-brave-1
Threat name: Trojan Horse
Full Path: C:\Users\jedi\AppData\Local\BraveSoftware\Brave-Browser\User Data\cpoalefficncklhjfpglfiplenlpccdb\1.0.9\tor-0.3.5.8-win32-brave-1

____________________________

____________________________


On computers as of 
03/03/2020 at 17:55:36

Last Used 
03/03/2020 at 17:57:38

Startup Item 
No

Launched 
No

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.


____________________________


tor-0.3.5.8-win32-brave-1 Threat name: Trojan Horse
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

High
This file risk is high.


____________________________


Source: External Media

Source File:
tor-0.3.5.8-win32-brave-1

____________________________

File Actions

File: C:\Users\jedi\AppData\Local\BraveSoftware\Brave-Browser\User Data\cpoalefficncklhjfpglfiplenlpccdb\1.0.9\ tor-0.3.5.8-win32-brave-1 Removed
____________________________


File Thumbprint - SHA:
e6cca452474b22bb1a8c45ffe6a1f77ce517fed964d18cd69eb019f411aed6d4
File Thumbprint - MD5:
6a548814813319e6a43ec0786208eb4e
1 Like

I can confirm the above problem. Just had exactly the same report today ( March 4th 2020) from my Norton Internet Security. version 22.20.1.69. That is: tor-0.3.5.8-win32-brave-1 flagged as Trojan and removed.

Filename: tor-0.3.5.8-win32-brave-1
Threat name: Trojan HorseFull Path: C:\Users\John\AppData\Local\BraveSoftware\Brave-Browser\User Data\cpoalefficncklhjfpglfiplenlpccdb\1.0.9\tor-0.3.5.8-win32-brave-1



On computers as of
04/03/2020 at 12:13:33

Last Used
04/03/2020 at 12:15:33

Startup Item
No

Launched
No

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.


tor-0.3.5.8-win32-brave-1 Threat name: Trojan Horse
Locate

Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week ago.

High
This file risk is high.


Source: External Media

Source File:
tor-0.3.5.8-win32-brave-1


File Actions

File: C:\Users\John\AppData\Local\BraveSoftware\Brave-Browser\User Data\cpoalefficncklhjfpglfiplenlpccdb\1.0.9\ tor-0.3.5.8-win32-brave-1 Removed


File Thumbprint - SHA:
e6cca452474b22bb1a8c45ffe6a1f77ce517fed964d18cd69eb019f411aed6d4
File Thumbprint - MD5:
6a548814813319e6a43ec0786208eb4e

Symantec Endpoint Protection also detected this problem. Any concerns with this.

Same here

I had a user report this to my office yesterday. I told the guy it was just a false positive, but left it as it is for now incase I need to restore the file from quarantine.

Dell Latitude 5280, W10 x64. SEP v14.2

Likewise, Symantec on my work laptop is flagging this file and I can’t open Brave, which more importantly means I can’t get my bookmarks, really causing issues because I depend on a lot of those links.

TrendMicro

Threat Name: PUA.Win32.TorTool.A
Infected File: C:\Users\xxxxxx\A….5.8-win32-brave-1
Response: Removed
Detected By: Real Time Scan

Hello all,
It’s likely false positive. In the past we received a similar reports from other AV. If you can, you can “whitelist” it for now.

cc @Mattches @asad on this

1 Like

Same here but with Windows Defender. It identified Brave as Trojan: Win32/Skeeyah!MTB

Currently seeing this with Windows Defender as well: Win32/Skeeyah!MTB

It’s being flagged as a PUA, potentially unwanted application, for the most part and anything else is a false positive and probably needs a signature update for the checker:

Related thread:
https://community.brave.com/t/invalid-digital-signature-for-tor-0-3-5-8-win32-brave-0/104764

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.