grarpamp:
On Mon, Jan 5, 2015 at 2:30 AM, eliaz eliaz@riseup.net wrote:
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https://<some IP address> Infection: URL:Mal [sic] Process: ... \tor.exeWhen I track down the addresses I find they are tor nodes (sometimes bridges, sometimes guards, sometimes exits.
Are the flagged nodes in some ways miss-configured, or can I consider these to be false positives? Is there anything to worry about here?
Detail: The tor and standalone vidalia folders have been flagged as exceptions (i.e. excluded) in the virus scanner. The scanner's web module is picking up the IP addresses from the port traffic.
Thanks for any enlightenment - eliaz
Since the internet is known to be an infected wasteland, and exits are known to MITM your streams,
Do you mean my streams in particular or all streams?
I'd suggest either compartmentalizing all your surfing in a disposable VM (which should probably be done anyways), or excluding web traffic from your scanner.
I run in a dedicated low-power box on my LAN, to save electricity. Is that as good as a VM?
I've got VMs on the other machine, which is a power hog & not run continuously.
Additionally, if you are able to isolate and confirm that a specific exit is MITM'ing you (vs the "malware/virus" being on the original clearnet site itself) feel free to post its fingerprint here so that the workers can double check and dirauths can give it the bad exit flag.
I don't know how to confirm that exits are MITMs. I can post the FPs of the ones that show up, though. So far all the alerts lead me to recognizable nodes that show up OK in Atlas, etc.
Unfortunately Tor doesn't have simple logging format that you can watch in real time alongside your scanner. I'm finishing a spec ticket for that soon though.
The alerts appear randomly at intervals of several days. The AV program alert is via a popup, which I can get later by asking the AV to show last popup. I guess I should get up to speed in wireshark, but it's gonna result in a monster file by the time it catches anything. Thanks for writing up the spec, I'll try to follow the conversation. - eliaz