cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender reporting Trojan:HTML/Phish!pz threat with Firefox

Issue_Report
Making moves

Multiple items quarentined by Microsoft Defender. It is reporting Trajon:HTML/Phish!pz is detected in Firefox cache. Some examples being:
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\077D332D18D04002F4E4F2029C7BBDBD6075BBD8

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\087BCF7C6435165AD81CEA178C340D8C71CA965E

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0DB91AB2260ACFD2290F3A56BDB862D6F2359779

C:\Users\UserName\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0E79D7DDB0575B34F6E2A2DC0D77F7B91117DABB

258 REPLIES 258

smithgeorge550
Making moves

I am also facing this issues. I think that it appears when I use Glarry Utilities Software. Utility stores are also run by ehsaas program which is a social welfare program visit the website and share it so the eligible individual can get financial support. read more

This problem occurs without having Glary.  I don't have it.  It looks like this problem occurred with the last Firefox update.  Up to Dec 25 my nightly backup worked fine.  Later in the day on the 25th or early 26th I applied a Firefox update and my problems started.  If I leave cache on backup will not complete.  The same with my wife's system.  Forget about Amazon.  The fix above by JackB is the answer but make sure you do the same for Thunderbird if you use it.

dvg
Familiar face

I agree with the statement about clearing the Mozilla cache and removing the backup snaphots (shadow copies) to complete the backups. That works, but that doesn’t address the root cause.

These files, which are being flagged by Windows Defender, get into Mozilla cache from the web sites you had visited. Now, they do no stay in the cache long. If you use shadow copies for Windows backup, then these transient files from cache, get stuck in your backup snapshots and they get flagged by Windows backup as infected. So, if you clear the cache and remove the snapshots, then your backup will complete, but we still don’t know if those files are actually infected or they are false positive.

 

i caught a couple of the cache entries flagged as infected. One was from Amazon, one was from American Express. The Trojan definition says that this is an HTML Phish trying to steal your passwords that you are entering on the web….

Flinx
Making moves

same issue, first started when it was finding the Trojan:HTML/Phish!pz in the firefox cache of a local computer account I had not logged in to in several months. cleaned all that up, and now it's finding it in my cache. don't have glary or even know what it is.

kaiclavier
Making moves

So we know how to work around this if it is a false positive, what's next is determining if the file is actually malicious, and what's generating it. Since the issue seems to be reproducible (after clearing your cache, launch firefox, do about 5 minutes of browsing, and a backup will fail), has anyone tried seeing if the backup still fails with uBlock origin removed during this process...? I really doubt it's uBlock but multiple people did mention it

If you clear cache, and disable uBO - backups will complete again. 

My workflow right now is that I have a notification of a failed backup, I go into FF, disable uBO, clear cache, and then restart the backup.  The backup completes successfully, and when it's done, I re-enable uBO and everything is back to normal.  I'll even browse sites while the backup is happening, and it's still fine.

I do not have uBlock. The issue seems to be reproducible. Indeed, we do not know if those cache entries are just the false positives or they are actually infected. 

I agree, but I am still wondering what the root cause is. I fixed the problem with the method that JackB described, but what was the original cause? I see four possible explanations:
1) It's a false positive,
1.1 caused by Windows Defenders wrong detection metrics
1.2 caused by Firefox (somehow)

2) It's a right positive, caused by
2.1 a malicious website/ad/whatever (but on several websites, since there seems not be a unique identifier
2.2 ublock version (I also have it installed,but some people with the issue seem to not have ublock)

How to find out now?

I have been wondering about what’s common between Amex and Amazon in my example. Upon close inspection of those two cache entries, I see two different Javascipts from Amazon and Amex respectively, but they both came through Amazon CloudFront, which seemingly add some binary portion to those JavaScripts. That binary portion seems to be identical. If those two files are, indeed, infected then, perhaps, the culprit is CloudFront. Many businesses use AWS and CloudFront to run their websites. If CloudFront somehow got infected and spreading this Trojan, then it could be a common denominator across various cache entries. This is just pure guess on my part, as I have no way to analyze and understand that binary portion in my cache entries.

i would truly prefer to be wrong about this and confirm that these are just the false positives and not harmful..,,

RobW
Familiar face

Entering Amazon or Amex is not the issue for my multiple backup failures so I have to assume these sites, in particular, are irrelevant.  I don't know what/who CloudFront is.

I repeat, my problem did not arise until the 25th/26th after I had installed an FF update.  Using the Windows security message details I even tried deleting the file it identified and then attempting backup again.  It still would not complete and Windows just gave me detail of another cache entry and on and on.

To add, I was surprised my search for cache2 using the free software Everything, also identified cache2 in Thunderbird.  If I set FF to perform an automatic deletion of cache2 but left TBird as it was, backup failed.  So, even though Mozilla put TBird on it's own a number of years ago, FF updates are also be affecting TBird in some manner.

My proof of this is the fact my wife's computer (also on FF and TBird) running Windows 10 Pro, had EXACTLY the same issues after installing the FF update within minutes of me having installed same on my computer.  Backup would not complete on her computer even after enabling automatic cache deletion in FF until I also set TBird to do the same.

dvg
Familiar face

I have been trying to figure out what is common among 3 files that Windows Defender flagged as infected. They all came from different web sites and seemingly have nothing in common. Then I noticed the common part in the PartitionKey section. I did some digging and it turns out that Partition Key is a mechanism used by the web browsers to improve privacy and prevent web sites from tracking you by partitioning the web browser cache.

You can read about how this is done in Google Chrome and Mozilla Firefox here:

https://developer.chrome.com/blog/http-cache-partitioning 

https://www.ghacks.net/2020/12/20/firefox-85-will-improve-privacy-with-network-partitioning-feature/ 

These are 3 different cache entries from the different web sites with the only common section among them marked in bold font:

O^partitionKey=%28https%2Camericanexpress.com%29,:https://www.cdn-path.com/cc.js? &namespace=inauth necko:classified 1 strongly-framed 1 security-info FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgAAAAAAAAAAAAAAAAAAAAEAOQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAXLMIIFxzCCBK

O^partitionKey=%28https%2Cameritrade.com%29,:https://invest.ameritrade.com/release/dojo/main.js?dev_WEB_2023.07_Release_23.7_Build_11 necko:classified 1 strongly-framed 1 security-info FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgAAAAAAAAAAAAAAAAAAAAEAOQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAbpMIIG5TCCBc2

O^partitionKey=%28https%2Camazon.com%29,a,:https://d1nruqhae353qc.cloudfront.net/primesignup/widget.js?v=5867877 necko:classified 1 strongly-framed 1 security-info FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgAAAAAAAAAAAAAAAAAAAAEAOQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAXeMIIF2jCCBMK

Could it be that this is the common part, which triggers Windows Defender?

Interestingly enough, though, that these 3 files get flagged by the Defender only when they are still in a shadow copy. If I copy these into a separate directory and scan that directory with the Defender, the Defender doesn't complain at all. That part puzzles me...

Tried the first 30 characters of that string on 3 flagged files I got out of the shadow copy, and all three match.

I have looked through the rest of the files in cache, which Defender does not complain about. Some of them have also this pattern. Perhaps, this is the red herring...

Now making the transition here, Happy New Year !

Yeah. That looks like a false alarm. Sorry. Happy New Year!

Flinx
Making moves

this string of text you mention is in all of my cache files. but only one shows as "infected" in the shadow copy.

FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgAAAAAAAAAAAAAAAAAAAAEAOQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAA

 

dvg
Familiar face

That’s the kicker. That makes me wonder and think this is the red herring. Perhaps, this string is okay and I was on the wrong path.

RobW
Familiar face

After all this discussion I am left with some observations I believe outline this issue -

1.  FF in their latest update is compiling entries in cache2 that Defender identifies as a trojan.  Why some update dates vary makes no difference because it depends on when you perform your backup.

2.  It makes no difference if the offending entries are in cache2 or duplicated in  a recovery shadow copy.

3.  Other software applications like uBlock are irrelevant to the problem.

4.  A virus scan by any of the available packages fails to identify any issues.

5.  Setting FF to clean out cache on closing eliminates the issue.

6.  This is a false positive and unless we are coders we'll never know what Defender finds wrong with cache2 entries.

7.  Set FF and TBird to clean out cache on closing and stop worrying about what is obviously a false issue.

For my own peace of mind I have run Defender and MSERT scans a number of times resulting in no threats on my system.

Rob thanks for your help I followed your instructions and it seems to work fine now 

It remains a problem though.

1. Setting FF to clean cache works, only so long as FF is closed when the backup runs. Open it and you'll see the issue repeat.

2. MS backup refuses to complete once it detects a virus in the backup file. This is a false positive, but its one that is causing your backups to fail, no backups is a serious consequence of this.

Obviously it has to be reported to Microsoft who can diagnose and resolve this bug. If it can be narrowed down, can be reported here.

Why would you perform a backup with FF still open?  My backups are performed daily on a schedule and FF is closed when I leave it.  Microsoft is not the problem.  Mozilla is the issue.

dvg
Familiar face

Well, those shadows copies allow you to keep your applications open and working, while backup is running. That’s the whole idea of the snapshots. It is convenient. I run my backups during the day.

RobW
Familiar face

dvg.......

You misunderstand. I am questioning why would anyone leave FF open while they run backup?  If cache is cleared when FF is closed there is no issue with either FF or recovery/restore shadow copies.  A system restore point is created immediately before backup runs and if FF is closed there are no issues.  In my case, backup runs on a schedule which means FF is never open, even accidentally.  One day perhaps Mozilla will correct this problem but until then we can only compromise.

RobW
Familiar face

Sorry, typo.  A restore point is created immediately after backup runs.

dvg
Familiar face

No, Rob. You misunderstood. The reason while we can keep our applications open is because windows backup employs the shadow copy technology. Clearing cache and cookies is also not really good solution as you need to login to the web sites again every time you clean the cookies.

RobW
Familiar face

I have no idea what you mean.  Keeping an application open is not needed or required when system restore points are set.  Perhaps you leave FF open in the background while you perform other tasks.  I occasionally do that but FF would not normally be open when backup is being run unless I am manually running backup.  If you manually set a restore point while some some applications are open this is different.  And restore point file copies are not referred to/employed by your system while it is running unless you enter recovery.  They are only file copies and are not active or background running processes.

Clearing cache2 does not clear cookies.  This is why I previously questioned the need for FF to maintain cache entries.  I can see no difference in accessing any websites with FF cache cleared after closing.  See this

In general, to get to the Microsoft cookies folder in Windows 10 or 11, you can open the Run box, type shell:cookies, and press Enter. They're located in the INetCookies folder in the C: drive. Your cookies are located in the same folder if you use Windows 8 or Windows 8.1.

dvg
Familiar face

Your cookies are being stored in your profile directory AppData\Roaming\Mozilla\Firefox\Profiles. I believe that setting, that you mention,  in FF cleans both cache and cookies on exit.

RobW
Familiar face

Cookie file copies maintained by FF is not cleared if cache is set to be cleared when FF is closed.  I have no idea why FF stores cookie info in any event - redundant.  Cookies are stored in the Windows AppData folder in order to be accessible by any browser you may use.  This Windows file is hidden/restricted.

Cookies are stored in the user's local app data folder on Windows 10. This folder can be found by opening File Explorer and navigating to the following folder path: C:\Users\ \AppData\Local\Microsoft\Windows\INetCookies.

I leave it open (along with many other applications) because the shadow copy feature lets that happen and because I am not going to micromanage my life just to suit the backup app. Its job is to make backups, sometimes even when I'm working at strange hours.

These programs are supposed to work around me to benefit my life, not the other way round. Besides, if I have to close FF, what other aps do I have to close too? Imagine having to reboot just to run a backup safely. Every day. That's the solution you're suggesting, FF is just the program at discussion today, there are loads more that cache, store and hold open files.

It's certainly your choice to leave apps open even if not being used.  But, shadow copies are just that - file copies created when a restore point is set (whether system or manual) and are not active otherwise.

A reboot is not required in order to run backup whether you set FF to be cleared when closed or not.  I have not suggested a reboot is necessary.

If you leave FF open, having previously accessed websites and then you manually run a backup, yes, you will have a problem because cache2 contains entries.  Until Mozilla corrects this issue we have to work around it.

Everyone is different but when I am done on the internet I close FF.  I cannot perceive any reason to leave it open because it's just as easy to click on the FF desktop icon than to click on the taskbar entry.  Having said that, why would I leave FF open and concurrently perform a manual backup?  The majority of people run  backup on a schedule, usually during off hours.  Mine is 3 a.m.

General advice is (I did not embolden any text) -

Is it OK to leave my browser open?
When you have too many applications running, your computer slows down. Browsers can be data-hungry creatures, and there's no reason to leave them open when you're not using them. Whether playing a game, typing an email or checking social media, keep your browser closed until needed.

Majority of people have a browser open every second the PC is running. I can comfortably state that many of them even don't know what a PC is without a browser running.

So you think that most people using a pc would open their browser and then minimize it (or allow it to be minimized) while doing other things?

I don't think you can accurately make that statement but it doesn't really matter unless they are usually running a manual backup.  Then they would have a problem when using FF.

The only option I have in FF is to "Delete cookies and site data (cache) when FF is closed". Is there another location to just remove cache?

A bit lower at 'History'. You can tick at the bottom to clear history when closing Firefox, and when you hit 'Clear history' you get the chance to choose for cache and/or cookies. Cookies is not necessary.

 

Edit:

sorry, I made a mistake there. Do not Clear History, but click the settings button that appears after 'Clear history when closing Firefox'.

Flinx
Making moves

I submitted a report through feedback in windows defender including a copy of an "infected" file. ya'll should probably do the same.

dvg
Familiar face

Flint,

Have you received any feedback from Microsoft on you submission through Windows Defender yet?

Flinx
Making moves

it's Flinx

nothing yet, but based on what I read they pay attention to feedback based on the number of comments and upvotes. so if you want this looked at sooner I suggest either comment and upvote on my feedback or create one very much like it.

I think everyone should do both.

https://aka.ms/AAoef32

Tried a few times, can't get acces to that feedback hub. Received code per e-mail, entered code, but no go. Don't like it either, never heard of too, will not bother any more 😂

dvg
Familiar face

Apologies, Flinx. The autocorrection mangled your name. I don’t think people can access your link. I tried and I can’t, but I will submit another feedback through Windows Defender.

Flinx
Making moves

you might have to have windows 10 or later to access it. since it works through feedback on your local computer.