Disable download manager scanning (reports downloads to cloud for many AV systems)
I have found that the latest Tor Browser Bundle (tor-browser-2.3.25-10_en-US.exe), when installed as instructed, uses a default setting of: browser.download.manager.scanWhenDone;true
Which can be found by: opening a tab with "about:config" in Tor Browser and typing 'scan' in the "Search:" field.
The default setting should be set to false, and all Tor Browser Bundles should ship with this setting: browser.download.manager.scanWhenDone;false
Anyone who uses Microsoft Security Essentials or another cloud based AV product, will transmit the filename and hash of EACH downloaded file in the clear to be vacuumed up by the NSA or their own domestic stasi equivalent. If I were a Chinese or Syrian citizen I would soil my pants. (Not that our own governments are better.)
To verify this: Obtain a windows box which uses MSE (with default settings). Install Wireshark. Install the latest Tor Browser Bundle. Start Wireshark and start capturing traffic. Start Tor Browser. Download any file that would trigger MSE, such as https://www.torproject.org/dist/torbrowser/tor-browser-2.3.25-10_en-US.exe Watch MSE transmitting info (filename & hash) about this file to Microsoft.
Note: You can disable cloud scanning in MSE and other similar products, but this is too much to ask of most users. It is better to avoid this problem completely since we know that NSA has installed backdoors into Microsoft networks.
The drawback is that users are, presumably, slightly less protected from viruses by not scanning files when downloaded. But if the user has any decent AV product and updates the definition files regularly, the file would be scanned when used.