Mozilla Connect

Wanted to point out my issue started after the MSE def. updates on 12/26/2023. FireFox had already been updated on 12/19/2023 to 115.6esr for Win7 since it too will be loosing support in October of 2024.

In Win7, I setup a group of files and folders I wanted to backup every day.  This is done when setting up Windows Backup.  You tell Windows what you want backed up and just unselect the folder cache2.  That omits the cache2 folder from my nightly backup. That allows the Windows Backup to complete normally but it still does not resolve system restore creating a restore point each and every time a backup is done.  The restore points have never been created like this before 12/26/2023 when MSE/FF flagged the issue.   Now each time MSE updates the defs. or a backup is run, a new restore point is created.

I don't understand how you can exclude a folder from backup that resides within an AppData site.  My backup does not allow selections that minute.  Appdata is a category by itself without any drop down for further selection or not.

You have to unselect the appdata folder under other locations and then drill down under the the users name to select appdata, then drill down anduncheck the cache2 selection ..... just like using file explorer to find FF cache2 dir.

Ah so !!  Never thought of that.  It's easier to set cache2 to be cleared when closiing FF and TBird.  For finding files like cache2 I use Everything (not Explorer) which is a free search software and very useful.  Type in cache2 and bingo !  It's especially useful if/when you have misfiled something and can't find it.

As I stated earlier when you asked, on my (W10) system, no restore point is made when the def file is updated. So that is different with yours. But a backup, I can imagine that Windows sees that also as a restore point ? I always saw shadow copies as a mix of backups and restore points.

"def file is created'.  What does that mean?

The update of Defenders virus definition file, once a day or so.

 Thank you. Excellent. I sent them a copy of one of my earlier detailed complaints.

For now, if I don't forget to shut off FF & T-Bird, everthing is cool.

I suppose there is a way to schedule those to shut themselves down, but it's over my head.

I can confirm that unchecking AppData folder in Windows Backup allows the backups to complete successfully. Excluding AppData maybe to broad rather than just Mozzilla cache2 folder, but it was easier for me.

My last update to MS virus definition took place on 01/01/24 at 1:40 pm PST. The backups were still failing this morning until I excluded AppData folder.

I really don't think it is a good idea to exclude the whole appdata folder from the backup, in 20 seconds more you are at the profiles folders. And sure you want the FF and TB profile folders in your backup, so:

C:\Users\[username]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxxx\cache2

and if you also use Thunderbird:

C:\Users\[username]\AppData\Local\Thunderbird\Profiles\xxxxxxxxx\cache2

For xxxxxxxxx, look in every folder in the \profiles\ folder for a cache2 folder, and exclude it from the backup to be sure.

A quicker way of finding the location of ALL cache 2 folders is to use Everything - free .  It's one of the most useful programs I've ever had.  https://everything.en.softonic.com/ 

Thanks for saying that out loud.  Sometimes I get too hard-core into troubleshooting that I overlook the simplest and most effective step of just....excluding the cache folder.

I'm sure someone can (and will) make a case for why you'd want cache2 in your backup, but since everyone also suggests that you just flush the cache when exiting FF, seems like this is the solution that will solve this issue for me right now.

Good point, the cache is empty anyway.

Clearing cache when closing Firefox also deletes all cookies (as far as I could see), and for some that can be a hard one to get used to. I try to avoid that, I clear individual site cookies only when I have to.

What's wrong with you people?  Clicking on clearing cache on closing is one option in FF.  You have to also click Cookies if you want them removed too.  Otherwise they are not removed. Pay attention.

Sorry RobW, in my settings, at closing down Firefox I cannot choose to only delete cache and not the cookies, only when deleting the cache manually I can do that. And when I did clear only the cache manually, and directly closed down FF, the backup still failed.

You are not correct.  Go to Tools/Settings/Privacy & Security/Clear History/ click that and Setting on the right becomes available.  You now have a selection of ticking history, cookies cache, etc. Select Cache only.

It's much easier in Thunderbird because the clearing cache box resides on the General page in plain sight.

Thank you ! So these two ticks not only are for clearing on demand, but also when closing Firefox ? That was not clear for me then 🤔

Mozilla uses the word 'History' to mean more than just 'browsing' History.  The line says Clear History when Firefox closes.  If that box is NOT ticked you do not have access to Settings to the right.  When it is clicked you can open Settings and select what you wish.  There are 7 options, Cache being one of them.

😠 I made a complete fool of myself by being in the wrong place in the settings. The whole time I was adjusting 'Cookies and website data' (or similar in English). That is above the History. Even after your comments I was not changing the History settings. Found it after I encountered more doubts through your text (It is partly a translation thingy to Dutch).

Thanks.

No you didn't.  It's not obvious at all.  I did not find it myself but followed advice from some other user back on the 27th, 28th or similar date where they explained in detail how to access cache and have it clear on closing FF.  The trick running backup after that is you MUST close FF (or TBird) otherwise it will fail.

As to others that insist this is a Defender issue, the problem did not exist for most users until FF update 121.0 was applied.  Defender may be/is falsely identifying a FF cache2 entry or entries as being a trojan but the issue is that Mozilla has these cache2 entries formatted in a manner that causes Defender algorithms to 'think' they see a trojan.  It's up to Mozilla to determine the problem and take corrective action which may also involve Microsoft.  They can do so quite easily because they have the ability to test their software against Defender definitions.  It's Mozilla who have a vested interest in ensuring FF runs properly and does not cause problems.  FF is small potatoes in the Microsoft world.

It looks like there are at least two different ways to clear cache in FF. The first one is under History as RobW pointed out, the other one is under Cookies and Site Data. One needs to click on Clear Data button and will be presented with two choices to delete Cookies and Site Data, Cached Web Content or both.

I think, RobW has found the most convenient way to clear the browser cache on the FF closure. Thank you, RobW!

I can't take credit for this.  It was jackb on the 27th who posted the method and I followed it.  Backup still failed but Defender posted a note that cache2 in Thunderbird was the culprit.  I googled that and found there was a similar method in TBird and followed that.  As long as both programs are closed backup is always successful.

tomhummus has reported Mozilla is looking into this issue and I'm sure it will be corrected.

Defender found and deleted the flagged profile file in the shadow copy. I deleted FF cache and closed it, ran full disk virus scans using three different scanners including Defender. All clear. Ran a back up and it ran fine. 

Now I’ve started FF and updated it, re logged in to a few sites… will see whether back up fails and Defender triggers again. 

I think everybody has come to the conclusion that more likely than not this is a false positive. Submit your feedback to Microsoft through the Windows Defender application. Some people has done so already.

You are wasting your time if you think Microsoft will be interested in dealing with an issue affecting somewhere between 7-10% of browser users.  That's the approximation for FF.  It's Mozilla who has a vested interest in ensuring their community product performs for their users.  If this problem resides with Defender, it's up to Mozilla to prove that first and then take ti to Microsoft.  You will not be successful putting the cart before the horse by trying to contact MS.

Personally, I believe the issue is caused by FF, not Defender.  In the meantime it can be alleviated by having FF clear cache when closing OR removing cache2 from the backup process in User AppData.  Either one of these will ensure your Restore point is not compromised as well.

Also, reading comments  by new posters, it's apparent they are not reading the early forum postings from the 28th +.

Not reading the comments seems a problem for this forum I think, I myself regularly loose track of what is posted where.

I have posted a Defender feedback report for MS, just to put a bit of pressure. If no one does, no one bothers.

For now we are dependant on coders from Mozilla or Microsoft to find the reason. In the mean time better exclude the cache2 folders from backing up by editing the preferences of Windows Backup:

C:\Users\[username]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxxx\cache2

and if you also use Thunderbird:

C:\Users\[username]\AppData\Local\Thunderbird\Profiles\xxxxxxxxx\cache2

For xxxxxxxxx, look in every folder in the \profiles\ folder for a cache2 folder, and exclude it from the backup to be sure. I had 5 in total, didn't even bother to look if they were empty or not.

See my post on 01-02-2024 07:55 AM

Update:  I may have solved the problem.  These were the steps (in Win10):

1. Close FF
2. In Explorer, navigate to the cache2\entries folder where Windows Defender reported the threat, then delete all files in that folder.
3. Open the Properties panel of C:\ and click on Disk Cleanup
4. Click on Cleanup System Files
5. After it does some space calculations, click on the More Options tab at the top of the panel
6. Click on the System Restore and Shadows Copies Clean Up button
7. Confirm your selection till it gets tired of asking the same question.

I then ran a complete Defender scan, which came up clean, double checked that Cache2\entries was still empty, then ran the Win7 backup that I usually do.  This time, the backup completed with no problem.

A few comments--I suppose there's not much harm in excluding all cache files from backup, but I am not happy about leaving a known bit of malware in place.  What else might it be doing besides screwing up your backup?  I have not seen any consensus about what this entity really is, so I prefer to avoid the risk if I can.

Another thing, is this procedure is not without risk, in that it eliminates all but your most recent restore point.  I've resorted to restore points very seldom and I'm pretty sure I never needed anything older than the latest one, but your mileage may vary, so think about it.  Perhaps there's a way to eliminate the shadow copies while maintaining the restore points--or maybe that doesn't make any sense, dunno.

Finally, this has been my first encounter with a persistent threat, one that reappears after you think you have deleted it.  I will not be surprised to find that it reappears somewhere else in the future.  Hopefully by then, enough smart people will have dealt with it to come up with a definitive eradication method.