cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender reporting Trojan:HTML/Phish!pz threat with Firefox

Issue_Report
Making moves

Multiple items quarentined by Microsoft Defender. It is reporting Trajon:HTML/Phish!pz is detected in Firefox cache. Some examples being:
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\077D332D18D04002F4E4F2029C7BBDBD6075BBD8

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\087BCF7C6435165AD81CEA178C340D8C71CA965E

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0DB91AB2260ACFD2290F3A56BDB862D6F2359779

C:\Users\UserName\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0E79D7DDB0575B34F6E2A2DC0D77F7B91117DABB

258 REPLIES 258

Both. Windows made a restore point just before (because) the update, and after that, Windows made a few just because it always does, and then after my weekly BU program schedule kicked in yesterday Dec 29th, and I retried 6 times to make that BU, it made a restore point before every of the 6 times.

I too retried the backup numerous times and each time a restore point was created.

Can you try manually updating your virus defs. and see if it creates a restore point?

My definition files were (auto) updated at 15:01 GMT (today), and no restore point was created. Manual updating resulted in nothing new.

MrGreg
Making moves

I'm also running Firefox 121.0 and Thunderbird 115.6.0. Both 64 bit.

Keeping them updated seems to be a good idea.

I just did this to my MECH-17, and the failure-to-complete-backup problem seems to be fixed.  Will try the same fix on the old COMPAL NBLB3.

Thanks to you all.

greg

p4ppy
Making moves

are you using any kind of adblocker software or the add on extensions from firefox

 

bballer
Making moves

I am having this same issue.

Defender is detecting Trojan:HTML/Phish!pz in files in C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\73ivohp8.default-release\cache2\entries and quarantining and blocking them. I have not found any evidence of threats outside of this particular folder.

After doing both full online and offline scans with Defender, there are no further threats detected until I use firefox again, at which time the issue happens again. This behavior has reoccurred consistently with the same threats detected again soon after using firefox again.

Since others here mentioned cloudfront, I searched some of the quarantined cache files and found this line "x-cache: Miss from cloudfront" in all of them.

Same as others here have said, I really hope this is a false positive caused by firefox and this is just a coincidence because cloudfront is so widely used and not an actual threat spreading through cloudfront.

dvg
Familiar face

Thanks, bballer! The plot thickens. CloudFront in each of the affected cache entries... Let's hope for the best. Hopefully this is some sort of Firefox bug. The alternative is scary...

Flinx
Making moves

I have firefox 121 problem started 12-25-2023

erikdenhouter
Making moves

Same problem.

None of the mentioned programs in earlier comments are on my system, so I wanted to check for that line, "x-cache: Miss from cloudfront". But I can't find any files in quarantine. When I filter on them there's nothing.

I have opened the files with the same names in the real time cache, and they are associated with sites I visit. Some of these files get refreshed every minute, like a weather page. And Defender finds nothing in the real time cache.

 

Only the fat parts vary per Defender alert, and I only get them making a backup:

file: \Device\HarddiskVolumeShadowCopy23\Users\username\AppData\Local\Mozilla\Firefox\Profiles\vk8k2xhg.default\cache2\entries\1254CDECF65EA9AB63367A13E628BD4DFE81BC7B

Erik,

We know that the files in the Mozilla cache a being constantly written and deleted. They are transient as the cache should be. Now, the same files would get stuck in the shadow copies since shadow copies are snapshots. You can copy those affected files out of your shadow copies and examine them. This way even if the file has been injected to your Mozilla cache and later deleted out of the cache, an intact copy of the original file is stuck in a shadow copy, as it was injected into your system. You can examine those files once they were copied out of the shadow copy.

Thanks, so no quarantine.

I usually make no other use of the backup, how do I enter such shadow copy ? 

Is that by putting files back in the context menu ?

I had Nirsoft ShadowCooyView tool installed on my Windows system. I used it to access a shadow copy and copy the files out of it.

https://www.nirsoft.net/utils/shadow_copy_view.html 

 

OK, I tried it via the context menu, and "Put back files..." (or similar entree), and found the file where Defender barked upon, opened it with notepad, but no 'cloudfront' found.

Tried another file from another bark to be sure, same result.

If those are the text files, can you copy and paste one those files here? Not that I will be able to tell you much about the contents, but at least we all can take a look.

Knock yourself out, this is the smallest:

‹ µÕÁn„ €áwá¬2Œ’Tž¡Û&›ÞšXe•D)̶Ùøîe×ziåPnê€üù.\‰žå Â§UD£ì¥;H{”Úðùé‘$èY=ŸÏ^"XQñ‰X3ÄáE÷aŒß?dTzã¬e|Û惜m\‹€uÉ°ÄöQ €¸×=Mq:†`½ Ôº÷Ny¯ÍPv½©N‹VÆÝz*3ýÒøæbíç” ô¢N3½Á[D„jk»ÿ?㾂ˆ×ë¯ÉL ßÖ.îÿƒò{ðZüUPCÆ‚R
rÔ)MNƒ&Å ÉiФðœ<Å€ç4àûÏW€°o 2 ¤°œ,Å€å4`)˜ÓàûYßÖ/…]ÖŒ" ÿ2VnÇø  eH¤FeTŠeH´ ± O^partitionKey=%28https%2Cbuienradar.nl%29,a,:https://image-lite.buienradar.nl/3.0/metadata/RadarMapRain5mNL?history=12&forecast=0&skip=0&ak=3c4a3... strongly-framed 1 security-info FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgAAAAAAAAAAAAAAAAAAAAEAOQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAYkMIIGIDCCBQigAwIBAgIQBTV+QwgRKn704R9HCr3K2DANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBEaWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMzA5MTQwMDAwMDBaFw0yNDA5MTMyMzU5NTlaMFoxCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlIaWx2ZXJzdW0xGzAZBgNVBAoTElJUTCBOZWRlcmxhbmQgQi5WLjEaMBgGA1UEAxMRd3d3LmJ1aWVucmFkYXIubmwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQgbUVB/rK+49+t9Qeet9pbU45YB5jF/LODJvX4LB/b8v0+UvmVYK7YhY+V/xttGpKcBd1lZHtm89L68Ki3ZN2bo4IDtjCCA7IwHwYDVR0jBBgwFoAUt2ui6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFNzGGdHL0cqLikCE9nz506mRQJVeMFwGA1UdEQRVMFOCEXd3dy5idWllbnJhZGFyLm5sgg8qLmJ1aWVucmFkYXIuYmWCDyouYnVpZW5yYWRhci5ubIINYnVpZW5yYWRhci5iZYINYnVpZW5yYWRhci5ubDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgOIMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATCBjwYDVR0fBIGHMIGEMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAwGA1UdEwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABipMZ76MAAAQDAEgwRgIhAJ0pt3I9/Sz9KBzaOFEh6HImw/Q1EuuvuoJJugj4XuW4AiEAhFfCSLr/v8y90rrLVkF5/kL+eHJKkmlTJC55Vv42OoQAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYqTGe/jAAAEAwBHMEUCIQD6K49YfAGnK3DBrZzFU8inw8UHMeK4AssoWLE50EsK+QIgQhz+3VJtrkDvoyM1n0GLoM4SrfeDz8NtBhAot9brn+IAdwDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYqTGe+3AAAEAwBIMEYCIQCqaqoeJeYxHPgxPat3rm9CTE9YCrdGQLDo2v/on+nz8AIhAMiHJUsvFuLweYp6wja8HY7L2lR3n6ZCADCuNPBoUxumMA0GCSqGSIb3DQEBCwUAA4IBAQBkPUj2csUU2WEj/ltlkgedhkY/kfzavyq6FRUG2z1g7xMBhmJLypKHVNHbIsHmto638Cv74mWOm4o5F1gPIbYmto1XSAnIOUblZgL9HqMw8qie1q98kxTQ7AUBlO0X1mE0EUwNLAeEZWvzlkVnT7rhaOYpc1FKsK4QolD0ZoWf//wMB5V/qZIYj4sF8EfSn8ZPMF/AxXGpzhubUykaK4khEkEeweM3hrxJ8u4v0se7b+yqudCFmsRfGFLwOuPF+ThHnKe2wZljZ9lnmVF3FsXUA1FpMcx8E8bSKEbL3BKi9/S5a4Ry/R8q+jXxDhTZ88AbVD2MpQGIaryGWpte6+xuEwIABAAAAAAAAQEAAAAAAAAGeDI1NTE5AAAAEUVDRFNBLVAyNTYtU0hBMjU2AANmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAYkMIIGIDCCBQigAwIBAgIQBTV+QwgRKn704R9HCr3K2DANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBEaWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMzA5MTQwMDAwMDBaFw0yNDA5MTMyMzU5NTlaMFoxCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlIaWx2ZXJzdW0xGzAZBgNVBAoTElJUTCBOZWRlcmxhbmQgQi5WLjEaMBgGA1UEAxMRd3d3LmJ1aWVucmFkYXIubmwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQgbUVB/rK+49+t9Qeet9pbU45YB5jF/LODJvX4LB/b8v0+UvmVYK7YhY+V/xttGpKcBd1lZHtm89L68Ki3ZN2bo4IDtjCCA7IwHwYDVR0jBBgwFoAUt2ui6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFNzGGdHL0cqLikCE9nz506mRQJVeMFwGA1UdEQRVMFOCEXd3dy5idWllbnJhZGFyLm5sgg8qLmJ1aWVucmFkYXIuYmWCDyouYnVpZW5yYWRhci5ubIINYnVpZW5yYWRhci5iZYINYnVpZW5yYWRhci5ubDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgOIMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATCBjwYDVR0fBIGHMIGEMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAwGA1UdEwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABipMZ76MAAAQDAEgwRgIhAJ0pt3I9/Sz9KBzaOFEh6HImw/Q1EuuvuoJJugj4XuW4AiEAhFfCSLr/v8y90rrLVkF5/kL+eHJKkmlTJC55Vv42OoQAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYqTGe/jAAAEAwBHMEUCIQD6K49YfAGnK3DBrZzFU8inw8UHMeK4AssoWLE50EsK+QIgQhz+3VJtrkDvoyM1n0GLoM4SrfeDz8NtBhAot9brn+IAdwDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYqTGe+3AAAEAwBIMEYCIQCqaqoeJeYxHPgxPat3rm9CTE9YCrdGQLDo2v/on+nz8AIhAMiHJUsvFuLweYp6wja8HY7L2lR3n6ZCADCuNPBoUxumMA0GCSqGSIb3DQEBCwUAA4IBAQBkPUj2csUU2WEj/ltlkgedhkY/kfzavyq6FRUG2z1g7xMBhmJLypKHVNHbIsHmto638Cv74mWOm4o5F1gPIbYmto1XSAnIOUblZgL9HqMw8qie1q98kxTQ7AUBlO0X1mE0EUwNLAeEZWvzlkVnT7rhaOYpc1FKsK4QolD0ZoWf//wMB5V/qZIYj4sF8EfSn8ZPMF/AxXGpzhubUykaK4khEkEeweM3hrxJ8u4v0se7b+yqudCFmsRfGFLwOuPF+ThHnKe2wZljZ9lnmVF3FsXUA1FpMcx8E8bSKEbL3BKi9/S5a4Ry/R8q+jXxDhTZ88AbVD2MpQGIaryGWpte6+xuZgoyJpFcT/u7IImFpjLfBb3Dl5pUIkzVhYlpa26W6oMAAAAAAAAEwjCCBL4wggOmoAMCAQICEAbY2QTVWENG9oovp1QifsQwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xvYmFsIFJvb3QgQ0EwHhcNMjEwNDE0MDAwMDAwWhcNMzEwNDEzMjM1OTU5WjBPMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBEaWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFLs2VHcLzdT1jb7Jztw2blHzETVK1KZkYfLArsZAflLtzcuQog7d/jxNCemql6HYKI5RFW2x6fWMJR5yw0DS7SkuFWy/F5X7O7h8olA3uaUkFmEGBPVxNJ8Og3Z4Pf59NLZ0wiUabfDpkQ7VdRdCbifcfKYi4TG38jiCVTb8E0WACLhP/4vqdYSSJ7lq2iiJsVvKB83+lRqNWw7TfiNrSCS2K1SZrsx2fW4z7149YSXkTxv3FCfViEA4CxgQH6+coyu7SOJ4cnxSt01KjWl97DZPnKzlOiVrx4F45JAymu+0lPpBW5zvJcGVdta3mnK6InIBO10D1A0yEwB5PqmfUCAwEAAaOCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFLdrouqoqoSMeeq02g+YssWVdrn0MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG9w0BAQsFAAOCAQEAgDLOXgvdbloNCq/h1oTLwI76hXDt2l2zDPcrdUD+hQr68zF4t3BLGolYuoC982sd6X7PC7pYnFnUkNP9bP3QmG23cYJbz20LWgnQe97EQ9gqpN6eQSZfu4+Zy92u4ahvn4f+dLcfGyCrsU/G9WddXZs86f9p92Fs1tnz/TbGqwOIdtJLLnWG4/zYVX0mwhF33z4Ctnzzq3t6hjZvuPfYk3HPht9zMPp7q+0qWchChDsRFxpS88kOFH2iW3JnunHtV0dmxbgCSmU0XovQKjwgnFGZTOdSnvdrESsNkn4d6IrrNhZDh+oqY791P+vexAO7Cjz3MO/rr0z8izYQcz7zpGYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAA7MwggOvMIICl6ADAgECAhAIO+BWkEJGsaF1aslZkcdKMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowYTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xvYmFsIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiO+ERct6opNOjV6pQoo8Ld5DJoqXuEs6WWwEJIMwBk6dOMLdT90PEaQBXneKNIt2HBkAAgQnOzhuDv9/NO3FG4tZmxwWzdicWj3ueHpV97rdIowja1q96DDkGZX9KXR+8F/irvu4o13R/eniZWYVoblwjMku/TsDoWm3jcL93EL/8AfaF2ahEEFgyqXUY1dGivkfiJ2r0mjP4SQhgi9RftDqEv6GqSkx9Ps9PX2x2XqBLN5Ge3CLmbc4UGo5qy/7NsxRkF8dbKZ4yv/Lu+tMLQtSrt0Ey2gzU7/iB1buNWD+1G+hJKKJw2jEE3feyFvJMCk4HqO1KPV61f6OQw68nAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTANBgkqhkiG9w0BAQUFAAOCAQEAy5w3qkgTEgr63UScT1Kw9N+uBPV5eQijJBj8SyuEwC251cf+9MEfWMu4bZx6dOeYKasRteNwoKHNTIiZk4yRcOKrDxy+k6n/Y9XkB2DTo7+dWwnx1Y7jU/SOY/o/p9u0Zt9iZtbRbkGN8i216ndKn51Y4itZwEAj7S0ogkU+eVSSJpjggEioN+/w1nlgFt6s6A7NbqxEFzgvSdrhRT4quTZTzzpQBvcu6MRXSWxhIRjVBK14PCw6gGun668VFOnYicG5OGzikWyK/2S5dyVXMMAbJKPh3OnfR3y1tCQIBTDsLb0Lv0W/ULmp8+uYARKtyIjGmDRfjQo8xunVlZVt3gAAAAEAAAACaDIBAQAAAABdYW5vbjp0bHNmbGFnczB4MDAwMDAwMDA6aW1hZ2UtbGl0ZS5idWllbnJhZGFyLm5sOjQ0M15wYXJ0aXRpb25LZXk9JTI4aHR0cHMlMkNidWllbnJhZGFyLm5sJTI5AAA= request-method GET request-Accept-Encoding gzip, deflate, br response-head HTTP/2 200
content-type: application/json; charset=utf-8
server: Kestrel
content-encoding: gzip
content-length: 293
cache-control: public, max-age=18
date: Fri, 29 Dec 2023 22:30:58 GMT
vary: Accept-Encoding
strict-transport-security: max-age=15768000
access-control-max-age: 86400
access-control-allow-credentials: false
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept-Encoding
access-control-allow-methods: GET,POST,PUT,OPTIONS
access-control-allow-origin: *
X-Firefox-Spdy: h2
original-response-headers content-type: application/json; charset=utf-8
server: Kestrel
content-encoding: gzip
content-length: 293
cache-control: public, max-age=18
date: Fri, 29 Dec 2023 22:30:58 GMT
vary: Accept-Encoding
strict-transport-security: max-age=15768000
access-control-max-age: 86400
access-control-allow-credentials: false
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept-Encoding
access-control-allow-methods: GET,POST,PUT,OPTIONS
access-control-allow-origin: *
set-cookie: akaalb_image_buienradar=~op=~rv=30~m=~os=~id=6b0bfdc3a7ab45cf44a31454f1201883; path=/; HttpOnly; Secure; SameSite=None
X-Firefox-Spdy: h2
ctid 1 net-response-time-onstart 25 net-response-time-onstop 49 %

And this file was flagged by Defender, right? You are correct there is no mentioning of the CloudFront.

RobW
Familiar face

All of you are forgetting this issue also occurs in Thunderbird.  If cache2 is manually deleted in FF, backup still fails if TBird cache2 is not also cleared.  Defender reports a TBird trojan location.  uBlock for example is irrelevant to TBird.  Also, I had the same failure after I deleted recovery/restore shadow copies but before the system could set a new restore point.  Reason - TBird cache 2 was not cleared.  It appears Windows will automatically set a restore point if all restore points have been deleted.  I have no idea what the common thread is that gets logged in cache2 for both FF and TBird but I do know that for me and my wife's computer, the problem did not exist until the 26th at which time our scheduled daily backup failed.  Maybe coincidental but we had upgraded FF prior to that happening which was after our backups of the 25th were successful.  Since electing to have FF and TBird clear the cache when closing we have no problem.  FF and TBird are/were both placing entries in cache 2 that Defender 'thinks' is a trojan.  In my system Defender says it cannot remove the trojan from either cache file.  I have tried to paste the Windows/Defender anitvirus report page but this site will not allow it.  It says I do not have permission to upload images.

Jerryg50
Making moves

 

Microsoft Defender is reporting Trajon:HTML/Phish!pz is detected in Firefox cache.

Folder:
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries

Example of Cache File:
\077D332D18D04002F4E4F2029C7BBDBD6075BBD8

After deleting this cache file, scanning the complete system and also using Off Line Scanning had no viruses found. I also ran MRT ( MS Windows Malicious Software Removal Tool).

How I found this was when doing Windows Backup, I was getting failures. When investigating I found Defender was reporting Trajon:HTML/Phish!Pz.  After closing Firefox and deleting the displayed cache file I was able to do the backup successfully.

After using Firefox again another cache file with a different set of codes showed up, and if the FF cache was scanned again I would get the malicious file warning again.

I saw in a posting the person removed uBlock and this issue disappeared for him. After removing it, so far I did not see this issue return.  I keep manually scanning  the entries folder and so-far no incidence.

I hope the author of uBlock becomes aware of this and fixes his software, if this is the case.

I am using Add Block Plus now.

--
From Google Search:

A false positive is another way of saying mistake. As applied to the field of anti-malware programs, a false positive occurs when the program mistakenly flags an innocent file as being infected.

The file detected by Defender may not be a genuine threat even though it was reported by Microsoft as one. These kinds of files are known as False Positives. One explanation for a false positive is that Microsoft Windows Defender may not have enough information about the file to determine that it is safe.

 

I don't run uBlock, I run AdBlockPlus, still have this problem.

I am puzzled. I am using Adblock Plus and no longer having this issue.  I removed uBlock and it went away.  I am very puzzled with this...

 

More differences: you report the virus is found in

C:\Users\UserName\AppData\ etc....

For me and some others it is in (as Defender shows)

file: \Device\HarddiskVolumeShadowCopy23\Users\username\AppData\ etc...

Same path, but for us it is in the shadowcopy, the Windows backup. And it ONLY hits while making a backup while Firefox is running and using its cache, not while using only Firefox. The backup is aborted then. When you start the backup again, the fatty number in my path, as the filename, vary per Defender alert.

Erik,

No, I am not reporting the different path. This happens in my backup shadow copies just like in yours. Perhaps, that c: drive location is coming from how ShadowCopyView tool reports the same shadow copy.

i am not sure in understand your last sentence about some fatty numbers…

Ah, you are viewing through that third party viewer, good one. I report what Defender shows.

Sorry, the correct English term is Bold 😅

file: \Device\HarddiskVolumeShadowCopy23\Users\username\AppData\Local\Mozilla\Firefox\Profiles\vk8k2xhg.default\cache2\entries\1254CDECF65EA9AB63367A13E628BD4DFE81BC7B

So the bold parts vary per Defender alert.

Erik,

I think this is a great idea to check if we can run our backups with the shadow copies when Firefox is not running and not actively using cache. Perhaps, there is some weird new interaction, which didn’t get flagged before, between backups and cache if it is actively being used.

I typically used Firefox while running those  backups….

Flinx
Making moves

my backup runs at 22:00 with  everything closed. running backup now with firefox open but cache cleared.

@dvg

I tried with FF + TB closed, no luck. I tried with FF+TB closed, and the large FF cache cleared, no luck.

did you delete the shadow copies?

No, why should I, as far as I know (...) there's nothing bad in there, some stated that the flagged files are exact as in the real time cache.

For now I think we should wait until we know more.

my experience is the backup will fail if there is an "infected" file in it. Even if the offending file is cleared from the computer.

backup completed nothing stopped it.

Flinx
Making moves

backup failed again last night, fails on one single file in cache.

scanning that file shows nothing. scanning the file pulled from the shadow copy shows nothing.

contents of offending file:

'use strict'

class DisplayMode {
    constructor() {
        this.mode = 'night';
        this.fontStyle = 'sans';
        this.fontSize = 'default';
        this.allowCookies = false;
        this.cookies = {};
        this.ariaText = {
            'day': 'Toggle Display Mode - Day Mode selected',
            'night': 'Toggle Display Mode - Night Mode selected',
            'serif': 'Font Style Serif',
            'sans': 'Font Style Sans Serif',
            'default': 'Default Font Size',
            'large': 'Large Font Size',
            'serif-sel': 'Font Style Serif - Selected',
            'sans-sel': 'Font Style Sans Serif - Selected',
            'default-sel': 'Default Font Size - Selected',
            'large-sel': 'Large Font Size - Selected',
        };

        this.guessSettings();
        this.loadCookies();
        this.loadSettings();
    }

    bindButton( className, action ) {
        Array.from( document.getElementsByClassName( className ) )
            .forEach((x) => {
            x.addEventListener('click', () => {
                action( this );
            });
        });
    }

    guessSettings() {
        if( document.body.classList.contains('theme-night') ) {
            this.mode = 'night';
        } else {
            this.mode = 'day';
        }
        if( document.body.classList.contains('font-serif') ) {
            this.fontStyle = 'serif';
            this.setSelectedButton('btn-serif', 'btn-sans-serif');
            this.updateAriaText('font-sans-status', 'sans');
            this.updateAriaText('font-serif-status', 'serif-sel');
        } else {
            this.fontStyle = 'sans';
        }
        if( document.body.classList.contains('font-large') ) {
            this.fontSize = 'large';
            this.setSelectedButton('btn-font-large', 'btn-font-default');
            this.updateAriaText('font-default-status', 'default');
            this.updateAriaText('font-large-status', 'large-sel');
        } else {
            this.fontSize = 'default';
        }
    }

    loadCookies() {
        this.cookies = {};
        let cookieList = document.cookie.split(';');
        for( let cookie of cookieList ) {
            let cookieChunks = cookie.split('=');
            this.cookies[cookieChunks[0].trim()] = cookieChunks[1];
        }
    }

    loadSettings() {
        if( 'cookies' in this.cookies ) {
            // Find out if we can store extra cookies.
            this.allowCookies = (this.cookies['cookies'] == 'allow');
        }
        
        if( 'displayMode' in this.cookies ) {
            this.setMode( this.cookies['displayMode'], false );
        }

        if( 'fontStyle' in this.cookies ) {
            this.setFontStyle( this.cookies['fontStyle'], false );
        }

        if( 'fontSize' in this.cookies ) {
            this.setFontSize( this.cookies['fontSize'], false );
        }
    }

    setMode( mode, saveChange=true ) {
        if( this.mode == mode )
            return;

        let oldMode = this.mode;
        this.mode = mode;
        this.updateAriaText('display-mode-status', this.mode );
        document.body.classList.remove( 'theme-' + oldMode );
        document.body.classList.add( 'theme-' + mode );
        if( saveChange ) {
            this.setCookie('displayMode', mode);
        }
    }

    setFontStyle( style, saveChange=true ) {
        if( this.fontStyle == style )
            return;

        this.fontStyle = style;
        // TODO: Aria text update here
        if( this.fontStyle == 'serif' ) {
            document.body.classList.add('font-serif');
            this.setSelectedButton('btn-serif', 'btn-sans-serif');
            this.updateAriaText('font-sans-status', 'sans');
            this.updateAriaText('font-serif-status', 'serif-sel');
        } else {
            document.body.classList.remove('font-serif');
            this.setSelectedButton('btn-sans-serif', 'btn-serif');
            this.updateAriaText('font-sans-status', 'sans-sel');
            this.updateAriaText('font-serif-status', 'serif');
        }
        if( saveChange ) {
            this.setCookie('fontStyle', style );
        }
    }
    
    setFontSize( size, saveChange=true ) {
        if( this.fontSize == size )
            return;

        this.fontSize = size;
        // TODO: Aria text update here
        if( this.fontSize == 'large' ) {
            document.body.classList.add('font-large');
            this.setSelectedButton('btn-font-large', 'btn-font-default');
            this.updateAriaText('font-default-status', 'default');
            this.updateAriaText('font-large-status', 'large-sel');
        } else {
            document.body.classList.remove('font-large');
            this.setSelectedButton('btn-font-default', 'btn-font-large');
            this.updateAriaText('font-default-status', 'default-sel');
            this.updateAriaText('font-large-status', 'large');
        }
        if( saveChange ) {
            this.setCookie('fontSize', size );
        }
    }

    updateAriaText( cssClass, textId ) {
        Array.from( document.getElementsByClassName( cssClass ) ).
            forEach((x) =>{
                x.textContent = this.ariaText[textId];
        });
    }

    cycleMode() {
        switch( this.mode ) {
            case 'day':
                this.setMode('night');
                break;

            case 'night':
                this.setMode('day');
                break;
        }
    }

    validateMode( mode ) {
        if( mode == 'day' || mode == 'night' )
            return true;
        return false;
    }

    setCookie( name, value ) {
        // Don't save the cookie if we're not allowed. Is this a required
        // cookie? I don't know.
        //if( this.allowCookies == false )
        //    return;

        document.cookie = name + '=' + value + '; Max-Age=2592000; Path=/';
    }

    setSelectedButton( selectedClass, deselectedClass ) {
        Array.from( document.getElementsByClassName( selectedClass ) ).
            forEach((x) =>{ x.classList.add('selected'); });
        Array.from( document.getElementsByClassName( deselectedClass ) ).
            forEach((x) =>{ x.classList.remove('selected'); });
    }
};

window.addEventListener('load', ()=>{
    let mode = new DisplayMode();
    mode.bindButton('btn-display-mode', ( dm ) => {
        dm.cycleMode();
    });
    mode.bindButton('btn-sans-serif', ( dm ) => {
        dm.setFontStyle('sans');
    });
    mode.bindButton('btn-serif', ( dm ) => {
        dm.setFontStyle('serif');
    });
    mode.bindButton('btn-font-default', ( dm ) => {
        dm.setFontSize('default');
    });
    mode.bindButton('btn-font-large', ( dm ) => {
        dm.setFontSize('large');
    });
});
¥ê¤í      e#ãe#öFe;e˜^c   j    O^partitionKey=%28https%2Cpenny-arcade.com%29,:https://www.penny-arcade.com/js/displaymode.js?v=1648223347 strongly-framed 1 security-info FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgAAAAAAAAAAAAAAAAAAAAEAOQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAUGMIIFAjCCA+qgAwIBAgISBPtgOA2VbRP+6uH34D5W/14VMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMzEyMDcyMTUxMTNaFw0yNDAzMDYyMTUxMTJaMB0xGzAZBgNVBAMMEioucGVubnktYXJjYWRlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSC9NTlg4QpjkO5sqq66dHBTyI60RPYVDNNnX5cgO2ainO+9Wym3xfWsN5xr9llcICP8LfPvj4CBkQcIKSDn0iR7obCS84ylzW2ORwniHoA5m16CUXUPJoEYxQmirCcD8sE9TMjZ+6JN0uyrl14Z/j8HhtMIp793SeaA45vw59iPDB0y9BqhVnlgdy6oVAOLDNX+SucgjEdoIvynTHSQlDza3Fu8WejlJUP4htlL/0WKMYzncKX9GoXbx9a8mbpbsSg7sukXuoZaXCr/VGqpDCmlomopaMYXqyt9SyWLlBOwuE84jsS2XRFlMuiCuX1cSXUDPfnxt+Hv63G+gQLIZkCAwEAAaOCAiUwggIhMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURQc6jdvJR99P5NiC4eE1n2gHQ0cwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLwYDVR0RBCgwJoISKi5wZW5ueS1hcmNhZGUuY29tghBwZW5ueS1hcmNhZGUuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGMRnpfPAAABAMARjBEAiBfRrc3QZAMG3H1GFGGbCU7AzEFZFFoN44vuXfPTwI+oQIgK6q+QCB9COHkAkt3lADQQ75YjA0rvei0wajMgsq4j3gAdgA7U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAYxGel83AAAEAwBHMEUCIQDWe+X/q1noTEL93uKdVX0UUtcRknxMOXsERKVKGMyHiAIgLAU3dps/NJ1BtYzIwwpRMRmq50JF7tU18tArlF7Vzz4wDQYJKoZIhvcNAQELBQADggEBAALLskQmlT2w7jt0zE4dqiy/1o439vSNSZqFFEbKM/XoJaBB0GBvgTxR+3tlnH8ei9KeeUZXXcdPG7D/v56LEdO9uTH1k0cEJg1PVkUsXuQZbndwpFdfUb2FTN1K+z/+o2QVokMnJzLFRIZJmW7tq6OWqKdWcHQeaoDsOHVWlF9lSLTRcLi2WfjMOdlxA4a6Vws9P1WT05b4/KEAWlLGKjRcv/6JtRpyjz7EbTvh2ZEnizvklLNKcXqcnqhxOKUnO0rRKN0u0T94MOMZok+WzjxL413zwDlnrnFOuHG1px8NBqxGylVxJIvCKmIXRW4RgCEt71IEZPnuq1AbcWLmMD8TAQAEAAAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYAA2YKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAABQYwggUCMIID6qADAgECAhIE+2A4DZVtE/7q4ffgPlb/XhUwDQYJKoZIhvcNAQELBQAwMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMTAlIzMB4XDTIzMTIwNzIxNTExM1oXDTI0MDMwNjIxNTExMlowHTEbMBkGA1UEAwwSKi5wZW5ueS1hcmNhZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5IL01OWDhCmOQ7myqrrp0cFPIjrRE9hUM02dflyA7ZqKc771bKbfF9aw3nGv2WVwgI/wt8++PgIGRBwgpIOfSJHuhsJLzjKXNbY5HCeIegDmbXoJRdQ8mgRjFCaKsJwPywT1MyNn7ok3S7KuXXhn+PweG0winv3dJ5oDjm/Dn2I8MHTL0GqFWeWB3LqhUA4sM1f5K5yCMR2gi/KdMdJCUPNrcW7xZ6OUlQ/iG2Uv/RYoxjOdwpf0ahdvH1ryZuluxKDuy6Re6hlpcKv9UaqkMKaWiailoxherK31LJYuUE7C4TziOxLZdEWUy6IK5fVxJdQM9+fG34e/rcb6BAshmQIDAQABo4ICJTCCAiEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRFBzqN28lH30/k2ILh4TWfaAdDRzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAvBgNVHREEKDAmghIqLnBlbm55LWFyY2FkZS5jb22CEHBlbm55LWFyY2FkZS5jb20wEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYxGel88AAAEAwBGMEQCIF9GtzdBkAwbcfUYUYZsJTsDMQVkUWg3ji+5d89PAj6hAiArqr5AIH0I4eQCS3eUANBDvliMDSu96LTBqMyCyriPeAB2ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABjEZ6XzcAAAQDAEcwRQIhANZ75f+rWehMQv3e4p1VfRRS1xGSfEw5ewREpUoYzIeIAiAsBTd2mz80nUG1jMjDClExGarnQkXu1TXy0CuUXtXPPjANBgkqhkiG9w0BAQsFAAOCAQEAAsuyRCaVPbDuO3TMTh2qLL/Wjjf29I1JmoUURsoz9egloEHQYG+BPFH7e2Wcfx6L0p55Rlddx08bsP+/nosR0725MfWTRwQmDU9WRSxe5Blud3CkV19RvYVM3Ur7P/6jZBWiQycnMsVEhkmZbu2ro5aop1ZwdB5qgOw4dVaUX2VItNFwuLZZ+Mw52XEDhrpXCz0/VZPTlvj8oQBaUsYqNFy//om1GnKPPsRtO+HZkSeLO+SUs0pxepyeqHE4pSc7StEo3S7RP3gw4xmiT5bOPEvjXfPAOWeucU64cbWnHw0GrEbKVXEki8IqYhdFbhGAIS3vUgRk+e6rUBtxYuYwP2YKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAABRowggUWMIIC/qADAgECAhEAkSsISs8MGKdT9tYuJadfWjANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yMDA5MDQwMDAwMDBaFw0yNTA5MTUxNjAwMDBaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsCFSjM9qCU0w8S7I1VksP4gvGZpnpCiKddJqq1K7nFTLGvjmv5dcij1w9HlBRVNVeMnqiiORn1gjxCqU5u9TvDLtuNwLBc81k45+3PafBaCxu+wJQkJYf6N3GzE+ccrOGb79vkO0VSRZapwVPONMhS7rWu7Y/eYHDipVSrtm0Ol6VANGsr07xm62Y0fPpri49XKZn4MBddunJv+4HFrdKGWD0Xx+cJu/Er94bcwdpxXdRG48ytJcGIvGBndWaz8Rj3olzmU/86iLZHpf8TGOqYCXc/nVP5zwHl9aZwFxSvY6T/mbOTndxTpwb+SIUdoWmuJXW7E8xSA/XtUaGL2xUCAwEAAaOCAQgwggEEMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUFC6zF7dYVsuuUAlA5h+vnYsUwsYwHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDEuaS5sZW5jci5vcmcvMCcGA1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wIgYDVR0gBBswGTAIBgZngQwBAgEwDQYLKwYBBAGC3xMBAQEwDQYJKoZIhvcNAQELBQADggIBAIXKTkc+o/eFRIW81Wd4sphjrXVNHpY9M2VyVC2BoOrD7fggv1/Mt3AAt2479l6U3uQgn6bvi7ID56K1FjyRzrTtOQLnfCWKR+Zlbj9G9NnwzpQr7lTOEryMJ0u4wZgvoq/NcZFKCLfIuCN7BC0I+QhXPoPZBDMKRyF4CYInwyrIm7nOXPJkyMC+ecBPjm1EDF6Suy73ixDh6B1EKdtZIO1juSH4EiaUk1egHWUEwQoirhANQ5ehGB9+4OCGN7Vasb0wv4duKyr/IU4bBcP1GJfwXqzDpbhq8C68OzO57kvezPzkr4QLhj/AVUM29mjhNhdqjpnR/6VApzS3wNBjOTU5dW7yunbIkwLpqUtsF84MAtm9gfuft2jUBmWzgj13U/iOeQOtCjEHdSpD2FWXcsQpDvfEXU7IrkaEMNfyhV8YoXm7515wiwfhhpPDuY/cYXElKq/f7SVQUmiLktzl1rXj2n3Qh2yEITGugvX7uavIiRc94UzlOA72vSu9loEU69XbPSCnflnT4vhY+Vu4SM3+XE8WKf4eVSOvyBGwjep8k5AXL/2soglHRj/w6bC3/yhNaDLWZ14eaaOTuPWdiy8L0lJDpm8yV2VNMoHfOFOFXX5dZinquN3klbXNtVYSQs3ETsYlOERQbezOAFUY/ulJZNROypectFvAc6iruEfCZgoyJpFcT/u7IImFpjLfBb3Dl5pUIkzVhYlpa26W6oMAAAAAAAAFbzCCBWswggNToAMCAQICEQCCEM+w0kDjWURj4LtjgosAMA0GCSqGSIb3DQEBCwUAME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBTZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBAFUfWKm8sqhQ0Ayx2BppICcpCKxhdVyKbviC5Wkv1fZWS7m4cxBZ0yGXfudMcfuy0mCtOagL6hchVoXxUA5Z687gWem6yRXvhp2PhID25OmRkNwXm2IbRfBmldJ8b8LqO+8fz8vWrifxqbDIrv19fpr6IgTr/9l/6pErIrEXDo/yijRbWNj8AclUubgmzIqIM4lMLYQ8gt/ullcFuiy798S3x047gr4xyCJzc5LRwoCkOTkQMyOCTDyfhrJVmB2+KYaMIpue4ms7VzqCcE3cCceJywoHTWzoXY7J786rx7u1K05F1krQJszlcsoIaqWV4xWh96TtySxfpfv/rCgCLr7Xe7vjcXuQFtMHXkZTfDcHQozTxJac1Zm1KuCVGoBIrkw5B87MR6RSlSu6uPut0jNTfeUdTW3VobHHQm/mQCc1XKMotweN540zkOcjn/tQnHlsRtW0FbOWbn6bDJY6uFItP9Zb4fsIwoT+JKijidqsauEYKrGoQ2Fb0x/cO4128i3ojXXfFzNsPVP7e8tBX//cotBhOOGWuKxdizfXddUzwJkRrp1BwXJ1hL4CQUJfZyRIlNGbJ74HP7m4T4F0UeF6t+2dI+K+4NUoBBM8MQOe3Xpsj8YHGMZ/3keOPyieBAbPpVQ0d73siZvpF0PfW9tf/o4eV6LNQJ1+YiLa3hgnAAAAAQAAAAJoMwABAAAAABh3d3cucGVubnktYXJjYWRlLmNvbTo0NDMAAA== request-method GET response-head HTTP/3 200 
server: nginx
date: Fri, 29 Dec 2023 19:54:11 GMT
content-type: application/javascript
content-length: 6746
last-modified: Fri, 25 Mar 2022 15:49:07 GMT
etag: "623de473-1a5a"
accept-ranges: bytes
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Http3: h3
 original-response-headers server: nginx
date: Fri, 29 Dec 2023 19:54:11 GMT
content-type: application/javascript
content-length: 6746
last-modified: Fri, 25 Mar 2022 15:49:07 GMT
etag: "623de473-1a5a"
accept-ranges: bytes
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
 ctid 2 uncompressed-len 0 net-response-time-onstart 100 net-response-time-onstop 102   Z

davidrmoran
Making moves

how about just deleting firefox? (sorry for naive query) 

What a wonderful idea! Seriously though, has anyone had similar problems with the other web browsers?

I keep wondering what might be the root cause? This problem manifested itself first on 12-16-23 at least in this thread. The Firefox has released 121.0 on 12-19-23. Many people started noticing this issue around December 25-26-27th. Windows Defender updates itself quite regularly, so if we assume that Defender is the culprit, then

- we should be seeing the similar behavior with the other browsers since they also cache the web pages

- we should have started seeing this right after Defender’s update

Flinx
Making moves

nothing in chrome, or edge. I still have IE on my computer but windows won't let me run that directly. the strange thing I noted was that it reported 3 cache files on a local user account that I had not run firefox in, in over 9 months. I deleted the files and shadows so don't know when they were last accessed.

That would certainly do it.  But instead just disable FF from maintaining cache2 file entries and you'll have no issues.  If you use Thunderbird you need to do that as well.

My daily backup is working perfectly.

dvg
Familiar face

Another strange thing is/was that the same Defender does not flag the same cache files as infected if they were copied out of shadow copy and scanned over again. 

It looks like when those files are stuck in snapshots, then Defender barks at them.

You may want to check to see if you are getting system restore points created when you run your daily backup or defender updates its defs.  See some of my earlier posts for more details

I do as it was intended by Windows System Restore

My Win7 system has never created restore points when doing a Partial Windows Backup until 12/26/2023 when MSE started flagging the FF Cache2 folder.  Now it is creating restore points for every MSE def. update and Partial Windows Backup even if it completes the backup since I have cache2 folder omitted from the backup.

Type a product name