Just because the car eventually rolled off the pedestrian, doesn't mean there's no news story.
Reportedly, mass removal of Tor Browser happened, and damage is done: a lot of privacy/security stuff disabled, couldn't be used, some won't be reinstalled, there's extra vulnerability at reinstallation time, etc.
And the demonstration that Microsoft can easily do this is of interest to people tho don't want that kind of thing to happen, as well as to people who would like that capability.
Also, this is Microsoft actively removing a competing Web browser (after long ago being put on notice about sneakiness around competing browsers specifically).
Mass removal, but someone aware that it happened can still go in and fetch the EXEs back out of quarantine.
Which would be a good feature request for Defender, make it automatically do that in the event of a legitimate EXE whose detection status changes after it has been quarantined.
This isn't surprising, frankly. AVs have a history of accidentally removing other software. That a browser that does really sketchy things (ie: things malware does) was flagged is not news, it's just an unfortunate bug.
The news here is that Microsoft Defender have revealed that they have no adequate release testing process.
Third-party AVs are a crapfest of dark patterns and false positives and resource hogging, if you install one and it does something bad that's kind of on you.
But Windows Defender is built into the OS and enabled by default.
Tor.exe should certainly be in a list of top 1000 common software packages that any tester would want to ensure don't get flagged and quarantined/deleted in a new virus definitions database. An update candidate that went out to a fraction of a percent of installs or to Microsoft's own employees, scanned without taking action, and posted to a dashboard reviewed by the Defender team that a file called "tor.exe" would be flagged if they continued the rollout would have stopped this. I can think of a dozen ways that a testing process would catch this. The fact that it happens proves there's either a lot of incompetence, or malice that was able to subvert a testing process.
You're acting like it's really easy to avoid these problems. Something like TOR has updates over time. Unless TOR pre-submits every patch to MS before every release, there's no guaranteed way to handle it. And something like TOR can change in all sorts of ways between releases.
A program that interpret (and sometimes compile and run, writing executable into random memory segmant and execute in place) random file fetched from random network location. You would definitely say it is a malware if you didn't know you are looking at a browser. The behavior of browser and malware really isn't that much different. I guess there really isn't a good way to know a browser binary is safe without manual intervention.
Not even just "software". Back in 2018 when I still used Windows, Defender one day decided to quarantine a single text file generated by my IRC client from a few years ago, containing a plaintext log of one day's posts in a channel. After some binary search I realized it was tripping on a comment containing a URL, which I guess was to some malware. I was very amused.
It depends on how they got here, but if they literally had a heuristic to detect use of tor and didn't think about how it would affect tor.exe then that's really bad.
> And the demonstration that Microsoft can easily do this
Pretty much every platform with hash-based antivirus can do this. It's bad, but so is the fact that Tor on iPhone can't use the same browser engine and privacy patches as Android/Desktop does. The average user is far-removed from caring about their OS vendor's power, apparently.
Lack of caring… perhaps because of complexity of the situation. I would say that most users struggle to comprehend the situation and that anything done to protect them is easily marketed as a good thing. Calling it hash-based anti-virus plays well into this idea. Also, these mechanisms probably do more good than harm (at this point) but certainly have the potential for abuse by the platform owner or maligned actors that somehow seize control of it.
Oh please. No. Most users wouldn’t struggle to comprehend the situation if they actually cared to. Most people are reasonably intelligent in areas that they care about. Accept that most people just don’t care about your hobby horse, and that things you see as grossly unjust, or should I say, potentially grossly unjust, just aren’t cared about.
iOS offers this bargain: you don’t get to configure much, but as a result I’ll know where things are and when it “guesses” what it should do, it will usually be right.
Linux offers the opposite: I’ll just do what you want.
Windows has a fun alternative: you can customize things but I’ll also change things, we’ll handle conflicts by rolling the dice.
I love outrage as much as the next edgelord but a) you can turn off Windows Defender if you don’t like it, b) false positives are a fact of any antivirus program, and c) Microsoft corrected it faster than you could even post. You are failing to make it seem like Microsoft acted in bad faith here. Comparing this to running cars over people is hyperbolic.
> you can turn off Windows Defender if you don’t like it
Please tell me how, good sir. Not replace, not turn off temporarily until the next day or the next restart when it turns on again automatically. Tell me, how do I turn off Windows Defender real time protection in a way that I can turn it on when I need it and turn it off when I don't.
As far as I know, It's not possible without 3rd party tools AND in a way that will persist (even after Windows updates).
Even harder is trying to let it scan downloads but not do real-time protection. Every setting I've tried has failed and excluding drives worries me that it might do too much and hasn't consistently solved the performance either. So I still have to flick the whole thing off every once in a while (and it turns itself back on after a few hours, of course).
I had an interesting evening the other day trying to completely prevent Windows Defender from running. In the end I had to change the name of the defender executable as defined in the registry.
Responding to the call to flag the post, I gave examples of impact, and why it's newsworthy and the post shouldn't be flagged just because Microsoft stopped the behavior after the damage had been done.
I was saying "flagged" (note the italicization of the last three letters) in comparison to the news article's use of "flags". Of course this HN post should not be flagged, and I agree that a disruptive false positive by first-party AV (which Microsoft only corrected after several days) is newsworthy.
"this is Microsoft actively removing a competing Web browser" is definitely an allegation implying more bad faith than just Windows Defender had a false positive...
I didn't say they intentionally did it. They were put on notice by top legal authorities, so should try not to even accidentally do things like that again.
That's pre-established as major industry and business news, so it's an additional reason not to flag the post.
Sorry, but even the most well-meaning of people will make mistakes, and it's clear this was an accident with no malice. No need to cast irrelevant aspersions just to grind your personal axe.
https://forum.torproject.org/t/torbrowser-12-5-6-no-longer-f...
"With the latest signature database (1.397.1910.0), tor.exe is no longer considered a trojan by Windows Defender."