Thanks @anonymous172 for bringing this up and @SkewedZeppelin for pinging me.I have forwarded the information to the devs.
It would not be the first time we receive false positive reports, but we’ll check in any case.
I have on a previous occasion contacted some antivirus editor (I think it was Symantec), but was ignored. If any of you have suggestion on how to better handle this, I’m all ear.
I made a submission to VirusTotal before SkewedZeppelin and the link is the same.
Only the installer version causes this.
@SkewedZeppelin Thanks for analyzing the files, publishing the links and reporting the problem on github.
I avoided sending the DLL file for analysis to avoid putting myself at risk.
I’ve tested it a few times and the warning is triggered as soon as the executable is opened.
I hope it’s a false positive. Otherwise, if it dumps other files on the system, I remain at risk.
The thing about VirusTotal is that the infected DLL doesn’t appear in its analysis. This motivated me to open mullvad-browser-windows-x86_64-install-13.5a6 again to confirm the suspicion that it is the source, rather than another program.
The DLL seems to be obfuscated and recognizes the VirusTotal analysis, or something else. I’m a layman, so forgive me for not being able to help more.
Thank you all for your attention to the event. You guys are amazing!
I ask moderation to close this thread as soon as a solution is found. I don’t know if anonymous mode can do that after a long time.
It is, generally when you see a virus total result with 1 result with an obscure scanner and the reason being “heuristics” or “ML” it’s often a false positive.
It can happen for a variety of reasons, for example if the dev uses UPX to compress binary becuse it was common for malware to also do that.
Hi, richard from the Tor Project and Blueprint for Freespeech here (Tor Applications Team lead and maintainer of Ricochet-Refresh)!
Ricochet-Refresh, Mullvad Browser, and Tor Browser all make use of the NSIS installer cross-compiled with mingw clang on Linux, which probably explains why they’re all appearing in the same anti-virus bucket here. Each of our release are signed with our respective build signing keys, so be sure to check that if you’re unsure of the origin of your binaries!
I assume you’re well aware of your threat model, but for any user who could be put at risk reading this, I would recommend them to stick to stable version of software in general.
@richard@ruihildt : Could you pls sign all executable and script files (exe, DLL, JS, …) of Tor Browser (and Mullvad Browser) on Windows, not just the installer?
It’s good security practice to sign all files and lowers false positive rates of AV solutions and Microsoft’s ISG. It’s a pain to deal with unsigned files for users who use WDAC, because you need to temporarily disable wdac enforcement during updating the browser and update the WDAC policy afterwards, which brings additional maintenance effort and weakens security, or have a separate device for updating and signing it yourself, which is usually only done in enterprise environments. WDAC is one of the main security mechanism for people with higher security requirements on Windows.
Additionally it would be beneficial to put everything inside a MSIX package. It will keep the filesystem clean and makes sure everything is signed. See Firefox on MS Store as an example.