cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender reporting Trojan:HTML/Phish!pz threat with Firefox

Issue_Report
Making moves

Multiple items quarentined by Microsoft Defender. It is reporting Trajon:HTML/Phish!pz is detected in Firefox cache. Some examples being:
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\077D332D18D04002F4E4F2029C7BBDBD6075BBD8

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\087BCF7C6435165AD81CEA178C340D8C71CA965E

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0DB91AB2260ACFD2290F3A56BDB862D6F2359779

C:\Users\UserName\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0E79D7DDB0575B34F6E2A2DC0D77F7B91117DABB

258 REPLIES 258

cannabisdoctor
Making moves

I have the same issue! 

Nunes
Making moves

Also have the same issue and noted that it appear after I run the Glarry Utillities software

Same here!! Started when updated Glary to version 6. Every scan i do on Glary, Microsoft Defender, alerts me!

 

What is going on?!

skysong
Making moves

I'm also having this same issue whenever I do a 1-Click Maintenance on Glary Utilities 6. This has me very paranoid. Is it safe to ignore it?

pauld57624msn
Making moves

I am experiencing the same issue, too. It started on December 23 while running 1-click maintenance on Glary Utilities 6. I'm going to leave Firefox closed and use another browser until we get this fixed.

Mrdru
Making moves

I also am experiencing this issue 12/26/23 and I do not have Glary. I have removed about 7 threats through Microsoft Defender after doing a quick scan and then a full scan. All these threats are located in file: C:\Users\name\AppData\Local\Mozilla\Firefox\Profiles\jqcnrc2w.default-release\cache2\entries\xxxxxxxxxxxxxxxxxxxxxxx.

barbarawr
Making moves

Same here - right after running Glary Utilities, except that I was on Chrome.  Windows Defender beeped at me every few seconds but I couldn't get it to quarantine OR remove the threat.  So I ran CCleaner and the beeping stopped.  I ran Windows Defender again and it said there were no threats.  Phew!

 

pixelpadre
Making moves

Im getting the same thing but have not using glarry

nykerk
Making moves

I'm getting it as well.

Moon2000
Making moves

Same problem without Glary since 26.Dec.2023 at 12:21 CEST. When I close Firefox, the ...\cache folder is completed deleted automatically. I checked some of the problematic files at https://www.virustotal.com/gui/home/upload . Result was no suspiction of malware. I also loaded some into an editor and they start with a JIF header.

Nerd3D
Making moves

jotti.org reports no virus in the samples submitted. This is a false positive. Just add the FireFox cache folder to the exclusions list for Defender.

First thing I tried.  Defender still insists on looking in the folder and reporting trojan.  The only thing that worked, for me, was telling Defender the trojan was allowed, and then turning off all Defender notifications.

"Just add the FireFox cache folder to the exclusions list for Defender." - What an "EXCELLENT" suggestion... You didn't really mean to suggest all that to so many people in public, did you? Maybe that false virus will no longer be reported from there, but all the other viruses that are not false will not be reported to the unfortunate people by the virus protection either!

https://c64universe.wordpress.com

pixelpadre
Making moves

I emptied the folder and made it not writeable by desktop user...it worked.

tomhummus
Making moves

Same here after updating iMazing to Version 3

thealwaysultra
Making moves

Same problem, not using iMazing, Glary or any other thing mentioned here. I guess this a false positive. I also have not used my PC for long - completely new build since a couple of days. In my case, this looks like a problem with the Windows Back Up Tool because the "trojan" is located in "ShadowCopy" somewhere, which seems to have something to do with the backup.

Exact same here, I don't have any of those other things mentioned, new PC build, and the message popped up when doing Backup and Restore (Windows 7), and the problem file is within a shadowcopy created by the backup.

Happened once before clearing my cache (all I visited before the message popped up were normal websites), then again with a different random cache file that was apparently created as I reblogged a picture of a cat on Tumblr. So probably a false positive? Clearing the cache and keeping firefox off allowed the backup to complete, but hopefully windows defender puts out some kind of update before I do another backup next week...

So either it's a windows defender false positive, or firefox itself is somehow creating a trojan out of random cache items...? False positive seems more likely...

Also the same for me! First happened on December 30; the Dec 23 backup was still fine. I'm on Firefox Beta channel so if anything changed on that end, I should've gotten it pretty early. Interestingly, the failed backups can still be selected for restores.
The strange thing is, when I run an Advanced Defender scan just on the cache2 folder, it doesn't find anything. It only happens during backup and always within a shadow copy. Removed the affected hex-code cache files in the live file system and deleted all shadow copies (vssadmin), but during next backup run it'll just randomly find yet another "threat" file in the cache2 directory.


Workaround to let the backup run through is to turn off the "Real-time protection" toggle before the backup starts.

"Workaround to let the backup run through is to turn off the "Real-time protection" toggle before the backup starts."

Haven't heard that one, another simple solution ? Scheduled backups must be turned off then.

Easier path (IMHO) with way less impact.

Just exclude the cache directories from being backed up.  I've been running fine in this way for a week or so now.  No failed backups.  No claims of a virus by Defender.  No clearing of cache/cookies.  I'm just not backing up the directory that everyone suggests clearing.

Yes, I was the first here to write down and done that. But it is more work, and you mis the cache from the BU, and it is not known what Windows Restore will do now it is missing folders; a restore point is as thrust worthy as the completeness of the snapshot.

But then, excluding from the BU I think is better, I don't want to let the cache folders  unchecked exact in a time that it is known that Defender has a problem there.

 

Exclude also the cache2 folder from Thunderbird if you use that. And exclude EVERY cache2 folder in every subfolder of the folder named /profiles/ to be sure.

jackb
Making moves

Got a solution. Or at least it works for me. Windows 10 running Firefox 120.0 (64-bit) and Backup and Restore (Windows 7).

I noticed that the file that caused the failure was some variation on C:\Users\UserName\Local\Mozilla\Firefox\Profiles\<user>.default-release\cache2\*

Solution was to configure Firefox to clear the cache upon logonff, (https://support.mozilla.org/en-US/kb/how-clear-firefox-cache) for every user on the PC and then clear the disk shadow copy (https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html). And backup runs just fine because cache2 is no longer there.

This does require that Firefox not be running when backup is run.

RobW
Familiar face

This is good advice.  But, if you use Thunderbird you will still have a problem with backup.  You have to also set TBird to clear cache automatically as well in the General tab.  Once done the problem is solved and backup runs perfectly.  I have Everything software and use it to search cache2 which displays both Mozilla and Thunderbird folders.  Specifically subfolder Entries which is where activity is listed.

I am Windows 10 Pro, AMD processor.

Win 10 go into Control Panel, Recovery, Configure System Restore then Configure and 'delete all restore points for this drive'.  It will not allow you to partially or selectively delete restore points.  After you have set FF and/or Thunderbird to clear cache on closing you can manually create a restore point.

How do you manually create a new restore point? Thanks just want to make sure I’m doing all this correctly 

Control Panel, Recovery, Configure System Restore, Create a restore pint.  Done.

RobW showed you how to make a restore point, but some don't know where the (old) control panel is: in your alphabetical Start menu there's a map/folder called 'System'.

RobW
Familiar face

Mistake.  Ignore this above.

Control Panel can be accessed by typing Control Panel into the Start Search box.  Unfortunately it displays by default in Categories.  In the top right corner is 'view by'.  Click and select either small or large icons and all individual processes will displayed.  Such as Recovery.  XP used to display in this manner bu Microsoft dumbed it down as they like to do.  They assume users are stupid.  I have a Control Panel shortcut set on my taskbar because I am there so often.

I deleted the shadow copy using Method One, as described in https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html

verytiredsysadm
Making moves

So far on my PC these have all been verifiably false positives.  I never take a vendor's word for it when they assure people that the alerts are false positives and their stuff is totally safe -- no crap, that's what a malicious source would say too.  I tell Microsoft Defender to restore the file, then open the file in a programmer's hex editor program (that is, an editor that doesn't run macros out of the file, doesn't assume anything about the file contents, etc).  Then I can look at the file myownself in a safe manner.

  • One of the "infected" files was a public certificate chain in RFC 7468 ("Base64 PEM") format.  Not a credit card stealer executable, Microsoft.
  • The other three reports were all adblocker updates from uBlock Origin.  One of them triggered the Trojan:HTML/Phish!pz alert, which is hilariously wrong.

All four are plain text files, although PEM format isn't really meant to be humanly readable, and the uBlock update/diff format is only slightly readable (and only if you know how to read classic software diff format).

I don't like the idea of specifying the browser cache as excluded from scans, but Microsoft Defender has suddenly started crapping the bed over the last few weeks with just blindingly obvious failures.

Great find!  I was having a similar issue as the others.  If I emptied cache and ran backup, no big deal.  But as soon as FF started running, even with no activity, I'd get the "virus/phish found" that pointed at the FF cache2 directory.  After a lot of searching I stumbled onto this, and with your help, I opted to temporarily disable ublock, flushed my cache, and now my backup is running JUST FINE with no errors or no new false positives. 

Seems to me like maybe there's something that ublock is creating that's causing the false positive.

I don't use ublock and I still have the same issue.

 

NOTHING to do with ublock. It is a false positive from Microsoft Windows Defender, and because it is in a Mozilla product it will take extra long to solve.

The conspiracist in me thinks "hmm, the tech giants suddenly have a problem with ublock stopping their profits, I wonder if this is related". Either way, this answer is most helpful and why I coulnd't find anything in the cache files using other virus checkers (I tend to run F-secure online scanner as a manual backup for this reason)

pixelpadre
Making moves

UBlock.....uh oh.....I  have one of those......

kaiclavier
Making moves

Will confirm I also have uBlock origin. But it's open-source so surely this must just be a random false positive still, right...? (Or possibly an intentional false-positive...??)

dvg
Familiar face

I started having the same problems with Windows Backup and Windows Defender yesterday. I was able to narrow this down (repetable) to a Javascript from Amazon.com. This scrpit is abuout 60Kb in size. Here is the top few lines:

 

/**
* @author sumeet
*/
(function(module) {
if (module.isRegistered)
return;
/** Generic Utility **/
(function(WlpInjectable) {
// TODO - Replace it with underscore library later
var q = 0;
var utility = {
isFunction: function(fn) {
return typeof fn === 'function';
},
isObject: function(n) {
var t = typeof n;
return 'function' === t || 'object' === t && !!n;
},
defer: function(callback) {
setTimeout(callback, 0);