cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender reporting Trojan:HTML/Phish!pz threat with Firefox

Issue_Report
Making moves

Multiple items quarentined by Microsoft Defender. It is reporting Trajon:HTML/Phish!pz is detected in Firefox cache. Some examples being:
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\077D332D18D04002F4E4F2029C7BBDBD6075BBD8

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\087BCF7C6435165AD81CEA178C340D8C71CA965E

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0DB91AB2260ACFD2290F3A56BDB862D6F2359779

C:\Users\UserName\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0E79D7DDB0575B34F6E2A2DC0D77F7B91117DABB

258 REPLIES 258

Windows 10.... No access.

"5. Setting FF to clean out cache on closing eliminates the issue." This was the solution to my backup problem. I haven't been able to complete any backup since Christmas so I'm really happy now. Thank you!

mbgtmari

This really is the easiest way to work around the FF/Defender problem until they resolve it.  I don't understand why FF retains cache entries because having them removed on closing does not hinder internet access when opening FF again. Also, if cache entries were required, I would think FF wouldn't offer the option of clearing them on closing.

I use Thunderbird and have it also clear cache on closing.

Good luck.

RobW
Familiar face

I use uBlock but it makes no difference.  Previous to having FF automatically clear the cache, if I cleared it manually and then did a backup - it worked fine.  I did not disable uBlock,  After having accessed the net (no Amazon or Amex,) if I performed a backup it failed to complete.  Cache only had a few entries but the number doesn't seem to matter.  Considering my issues did not start until I had processed a recent FF update I have to assume that the problem lies with FF and the way these web visits are compiled by FF.  The same thing happens in Thunderbird.

My computer and my wife's computer have no problem now that FF and TBird automatically clear the cache.on closing.

This is the root cause.  FF has caused Windows Defender to view some entries as trojans when they aren't.  All we can do is react to the problem and what we have is a correction by automatically cleaning out cache.  I also question why Mozilla thinks we need these reference points.  To speed up a re-visit?  Really?

BTW when I manually cleared my wife's cache entries there were 1800 entries in the file.  Mine was much smaller.

Sounds plausible! By the way, I also have the error on Windows 11, so it's not Windows 10 only.

Is there a way to escalate the issue to Mozilla? I haven't had a point of contact with Mozilla development regarding bugs and such, but I think the developers there might be able to take a look at this thread?

EDIT: I opened up a bug report on Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1872395

In the past I've attempted to contact Mozilla but it's too difficult and regimented and I gave up.  FF has a field allowing reports to Mozilla so I assume they become aware of issues.  BUT, the problem here is reported by Defender and not in FF so they probably won't know unless one of their people also experience the same issue on their own personal computer.

In the meantime we live with it and in any case I don't see a need to cache visit entries in FF or Tbird for a later revisit.

It dawned on me how TBird gets or has cache2 entries.  If you get an email with a link and open it you are visiting the internet from TBird and the entry is logged in a TBird cache2 file.  How an update from FF may have affected TBird is beyond me.

Thanks, Tom! That is a good idea to ask Mozilla team to take a look at this….

can you add this to your bug report: 

Wanted to point out my issue started after the MSE def. updates on 12/26/2023. FireFox had already been updated on 12/19/2023 to 115.6esr for Win7.

We keep going back to old posts.

I think you will find that this problem became evident after FF updated and you then ran your first backup.  For me, I run a scheduled backup every night (early morning).  I updated FF later in the afternoon of Dec 25th (I do not allow it to automatically update so have to wait for the update notice) and my backup for the morning of the 26th failed.

Another user backs up weekly.  He successfully backed up on Dec 20 and FF updated on the 21st.  His next scheduled backup on Dec 27th failed.

 

RobW,  If you will go back to my original posts you will see that I indicated I run backups nightly at 7pm (For years for clarification).   FF 115.6esr had been updated on my Win7 system since 12/19/2023.  I had no issues with backups or trojans until 12/26/2023 at 7pm when my nightly backup ran.  What was different is that MSE updated its virus signatures 2 times between 7am and 7pm on 12/26/2023.  As far as what started occurring on my system at 7:01pm on 12/26/2023 is I started getting system restore points created every time a MSE signature was updated and every time a backup would run.  This has never happened on my system before.  Keep in mind, I am not doing a total system backup, I am only backing certain hand picked files and the appdata folder which includes FF cache2.  I did all of the same troubleshooting of running full systems scans with 3 different products and also figured out I could by pass the issue by omitting cache2 from my backup.  However, doing so does not solve the issue of the system restore points being created for every backup being run which is a major problem for me.  I hope this more clearly helps in understanding that this issue maybe related to FF Version 121 and 115.6esr but really manifested itself when the MSE signatures were updated ..... at least on my system.

 

Your saying: "However, doing so does not solve the issue of the system restore points being created for every backup being run which is a major problem for me. "

Be aware that when a restore point is created while nothing or not much is changed, the restore point is just a relatively small notice in a catalog, it takes no disk space.

Surely I am not aware of other consequences in the way YOU run your system.

BarnStormer,

it is TomH, who openend that bug report with Mozilla. See, if you can add additional information to that report yourself. 

dvg
Familiar face

Rob,

As I said, I would like you to be correct in this issue and attribute this weirdness to Firefox. The alternative idea with Amazon CloudFront being the source of infection is very unpleasant to even contemplate…

RobW
Familiar face

The only common thread in all of this is the fact FF has caused the problem resulting from a recent update.  CloudFront is not relevant for me nor is uBlock, Gary, etc.  If I can clear/delete cache2 and Defender has no further issue in performing a backup there is only one reason remaining for the process to have failed.  Defender does not identify any other issue.  Also of note is the fact that when I initially had this problem on the 26th I performed a Full Scan after I had cleared cache 2 and Defender found nothing.  The same for Malwarebytes.  BUT, at that time I had not cleared Thunderbird cache2 and backup still would not complete until I did so.

dvg
Familiar face

Rob,

inspect the affected cache entries and see if they are signed by CloudFront. You’d be surprised to see how many web sites do use CloudFront.

RobW
Familiar face

Perhaps but still irrelevant here.  I had no problems until the 26th after processing an FF update. Within minutes of doing that I did my wife's computer as well.  Afterwards our daily backup would not complete.  All daily backups to the 25th had completed on both computers. The rest is history now.

If someone thinks it's a good idea to report this to Mozilla I encourage them to do that.

dvg
Familiar face

What’s your Firefox version now? Let’s compare.

RobW
Familiar face

Firefox 121.0 and Thunderbird 115.6.0.  Both 64 bit.

dvg
Familiar face

Firefox Version 121.0, first offered to Release channel users on December 19, 2023 according to their web site. The very first post in this thread complained about this issue on 12-16-2023. So, if we assume that Firefox was the culprit, then this bug was introduced before 121.0 version was released. That doesn't jibe well with Rob's point on bug being introduced on 12-26-2023.

 

I have the same 121.0 64-bit version on Windows.

RobW
Familiar face

Perhaps but I was ok until I updated.  My invite to update did not occur prior to the 25th/26th.  I do not allow an automatic update.  So, if the issue existed before that I was not having any problems.  How could that be?  Everything hinges on the update change.  Suggest a more likely culprit.  I'm listening.

dvg
Familiar face

How often do you run your backup? When was the last time you backed up before 12-26-2023?

RobW
Familiar face

I run Backup on a regular schedule.  Every night.  My wife's the same.  I do not allow it to perform an Image backup.

I have daily backups for the last month up to the 25th.  No issues.

dvg
Familiar face

Well, it does look like the update being a culprit in your case, Rob. I backup once a week and my backups ran fine on 12-20 and failed on 12-27. 

So, I guess it would be fair to say we still don’t know what the root cause is here.

RobW
Familiar face

I assume you had updated FF prior to the backup attempt on the 27th - ?

dvg
Familiar face

I had the Firefox updated automatically to 121.0. I don’t know when that happened though. My first failed backup happened on 12-27.

My most recent successful backup completed at 3am on the 25th, and the threat was first detected by Defender at 1am on the 26th for me. I have auto updates on for firefox, and the log shows it successfully updated to 121.0 at 7am on the 20th. This would seem to indicate that at least in my case the issue was not caused by the 121.0 update but instead by some event occuring between 3am on the 25th and 1am on the 26th.

dvg
Familiar face

That narrows the window down to 25-26th of December… Hmm…

Only in my case though, remember this discussion was started on the 16th. I think the only thing we can say with certainty regarding the timing is that we know this issue has existed since at latest the 16th, and that there doesn't seem to be a clear correlation between the time that people installed the 121.0 update and when they first experienced this issue.

dvg
Familiar face

Yes, I agree with you. We’ve seen a case on the 16th before FF 121.0 was even released, then in your case 121.0 worked fine for 5 days after being upgraded. The only plausible explanation is that we all have got infected at the different times as the infection spread. Rob ‘s case can be just a coincidence of upgrading FF and getting infected on the same day.

That does seem like a plausible explanation. Now my question becomes: should this be considered a real threat and if so what should be done?

Is it possible that we might see this same "infection spreading" behavior from a false positive? Would a false positive neccesarily start showing up at the same time for everyone?

I don't have the expertise to answer these questions with a useful degree of confidence.

dvg
Familiar face

Those are really good questions!

1. We should assume that this is a real threat until it is proven that it is false positive based on the timeline of how it spread.

2. We do not know what to do about this if this a real infection.

3. A false positive, if caused by Firefox upgrade, should have started showing up at around the same time after the latest version of the Firefox was released, which was not the case here (the first mention on the 16th before FF 121 release).

Do you agree with these statements? I do not like where this is going…

1. I agree in general better safe than sorry. I want to be cautious here though not to devolve into fearmongering.

2. Obviously we can't address the root cause, but it seems to me like we don't currently have reason to believe there are any effects beyond interferring with backups, right? which is annoying but not particularly scary. It seems like if it is a real threat, defender is working properly and preventing it from doing any damage, no? Can we trust that when defender says it has quarantined or blocked a threat that it effectively protected us and everything is ok?

3. Could it be an update to defender rather than one to firefox? If so would it be any different? Are defender updates released the same to everyone at the same time?

dvg
Familiar face

If this Phish is stealing the passwords to your banking sites, then who knows about the damage. Right? It manifested itself during the backups because it was being caught by backup snapshots.

I don’t honestly know. Fair enough?

Fair, but it would need to have had the chance to get that info and then to also send it somewhere nefarious. Would defender quarantining/blocking it not have prevented it from doing those things?

dvg
Familiar face

That’s how Phish works according to Microsoft web site. I found 5 pages long list of various HTML Phish sub variants on Microsoft site yesterday. Some of them were trying to still PayPal passwords, for instance. Look it up on Microsoft.

One thing is not mentioned here yet:

some have the problem in the shadow copy, like me, but I don't get a flag on the normal real time cache. Others (like the TS "Issue_Report ") have Defender flagging on the real time cache, but I don't hear them about the Windows backup (which they probably don't use).

I am having a similar issue also.

Defender is detecting Trojan:HTML/Phish!pz in files in C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\ xxxxxxxx.default-release\cache2\entries and quarantining and blocking them.  So far, I have not found any evidence of threats outside of this particular folder.

After doing full scans with Microsoft Security Essentials (MSE), Housecall and Stinger , there are no other threats detected .  After  I run Firefox  the issue is detected again by MSE when running Windows Backup . This behavior has reoccurred consistently with the threats being detected  in the Firefox  “cache2\entries”  folder again.

Here are the Details:

Win7-64,  running  Firefox 115.6esr updated on 12/19/2023

Microsoft Security Essentials (MSE) definitions created and installed on 12/26/2023 before Windows Backup started. Security intelligence update version: 1.403.1150.0  Released on 12/26/2023 11:16:01 AM & Installed on 12/26/2023 07:12 AM 

The issue occurred on 12/26/2023 at 7:01PM EST – 1 minute after my daily Windows Backup started.

Omitting  “C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default-release\cache2\entries”  from the backup selection allows Windows Backup to complete without issue.

I have system restore enabled and now:

  • Every time MSE updates the Definitions a restore point is created.  Displays as  “Time: Windows Update:  Critical  Update”  in the system restore selection window
  • Every time a Windows Backup is run a restore point is created. (cache2 omitted from backup)  Displays as  “Time: Automatic Restore Point:  System”  in the system restore selection window

The entries in system restore started on 12/26/2023 at 7:00:01PM which is 1 second after the system backup started on 12/26/2023 at 7:00:00PM

I am very concerned knowing that this is causing issues with system restore. Sure seems like Windows Defender or Microsoft Security Essentials (MSE) is at fault when running Windows System Backup.

Can someone with a similar setup check to see if restore points are being created on their system? 

On my system (W10) a restore point has been created every time I have started a backup, also when Defender stopped it. So I too have a few....

Remark:  while looking at the restore points, I saw that on December 15th MS has done an update and made a restore point: "Installation Program for Windows modules". Just say this because the first that posted the problem did so on December 16th.

On my system, restore points have not been created since 06/2023 when I replaced the drive.  That is until 12/26/2023 when Windows Backup was terminated by MSE.  So in my case there has been no system updates other than MSE virus defs.

Has your system been creating the restore points since "December 15th MS has done an update" or did it start creating the restore points at a later time when you noticed the backup first failed?