grarpamp: > On Mon, Jan 5, 2015 at 2:30 AM, eliaz <el...@riseup.net> wrote: >> The antivirus program on a machine running a bridge occasionally >> reports like so: >> >> Object: https://<some IP address> >> Infection: URL:Mal [sic] >> Process: ... \tor.exe >> >> When I track down the addresses I find they are tor nodes (sometimes >> bridges, sometimes guards, sometimes exits. >> >> Are the flagged nodes in some ways miss-configured, or can I consider >> these to be false positives? Is there anything to worry about here? >> >> Detail: The tor and standalone vidalia folders have been flagged as >> exceptions (i.e. excluded) in the virus scanner. The scanner's web >> module is picking up the IP addresses from the port traffic. >> >> Thanks for any enlightenment - eliaz > > Since the internet is known to be an infected wasteland, > and exits are known to MITM your streams,
Do you mean my streams in particular or all streams? > I'd suggest > either compartmentalizing all your surfing in a disposable > VM (which should probably be done anyways), or excluding > web traffic from your scanner. I run in a dedicated low-power box on my LAN, to save electricity. Is that as good as a VM? I've got VMs on the other machine, which is a power hog & not run continuously. > Additionally, if you are able to isolate and confirm that > a specific exit is MITM'ing you (vs the "malware/virus" being > on the original clearnet site itself) feel free to post its fingerprint > here so that the workers can double check and dirauths can > give it the bad exit flag. I don't know how to confirm that exits are MITMs. I can post the FPs of the ones that show up, though. So far all the alerts lead me to recognizable nodes that show up OK in Atlas, etc. > > Unfortunately Tor doesn't have simple logging format > that you can watch in real time alongside your scanner. > I'm finishing a spec ticket for that soon though. The alerts appear randomly at intervals of several days. The AV program alert is via a popup, which I can get later by asking the AV to show last popup. I guess I should get up to speed in wireshark, but it's gonna result in a monster file by the time it catches anything. Thanks for writing up the spec, I'll try to follow the conversation. - eliaz _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
