Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender reporting Trojan:HTML/Phish!pz threat with Firefox

Making moves

Multiple items quarentined by Microsoft Defender. It is reporting Trajon:HTML/Phish!pz is detected in Firefox cache. Some examples being:




258 REPLIES 258

System will always create a restore point whether you do a backup or not although I don't know the default frequency.  MSE/Defender is not the driver on setting recovery points.  Interesting that Win 7 started flagging FF too.  This gives further credibility that the problem is FF related and not uBlock, Amazon or other utility software.  I really liked Win 7 and more so XP but a lot of programs dropped support.  For example, Thunderbird put you into legacy mode as of last Jan with no further updates.  I only converted to Win 10 last Apr because I really had no choice and new MOBO will not run on 7 or earlier.  I took the opportunity to install a new mobo and processor.  Earlier mobo will run on Win 10 as is the case with my wife's computer.  I do not like 10 and I'm sure I won't like 11 when I eventually have to convert to that.

How do you specifically omit cache2 folder from your backup?

Wanted to point out my issue started after the MSE def. updates on 12/26/2023. FireFox had already been updated on 12/19/2023 to 115.6esr for Win7 since it too will be loosing support in October of 2024.

In Win7, I setup a group of files and folders I wanted to backup every day.  This is done when setting up Windows Backup.  You tell Windows what you want backed up and just unselect the folder cache2.  That omits the cache2 folder from my nightly backup. That allows the Windows Backup to complete normally but it still does not resolve system restore creating a restore point each and every time a backup is done.  The restore points have never been created like this before 12/26/2023 when MSE/FF flagged the issue.   Now each time MSE updates the defs. or a backup is run, a new restore point is created.



I don't understand how you can exclude a folder from backup that resides within an AppData site.  My backup does not allow selections that minute.  Appdata is a category by itself without any drop down for further selection or not.

You have to unselect the appdata folder under other locations and then drill down under the the users name to select appdata, then drill down anduncheck the cache2 selection ..... just like using file explorer to find FF cache2 dir.

Ah so !!  Never thought of that.  It's easier to set cache2 to be cleared when closiing FF and TBird.  For finding files like cache2 I use Everything (not Explorer) which is a free search software and very useful.  Type in cache2 and bingo !  It's especially useful if/when you have misfiled something and can't find it.

As I stated earlier when you asked, on my (W10) system, no restore point is made when the def file is updated. So that is different with yours. But a backup, I can imagine that Windows sees that also as a restore point ? I always saw shadow copies as a mix of backups and restore points.


"def file is created'.  What does that mean?

The update of Defenders virus definition file, once a day or so.

Making moves

tnx; did that too, but am going to go for now exclusively w chrome and edge, and only partly for dvg's amusement 

Making moves

anyone use msert ? I just did, found nothing, will do full scan tonight 

Making moves

I've seen Microsoft Defender reporting malware in the cache of the Firefox and Opera GX browsers at various times for over a year now. Sometimes it seems related to the shadow copies of the Windows 7 backups, and sometimes not. I don't recall seeing any such reports on my machines using just Edge and/or Chrome.

If I eliminate the browser caches from the backup, I don't recall seeing any such reports.

I use Firefox on my Linux machines and have not seen it happening there. Of course, Windows 7 Backup and Restore doesn't work on Linux machines, so this is an apples/oranges comparison.

I'm wondering if this is a problem with Defender not liking the way Firefox and Opera GX cache stuff because it looks too much like the way various cache attacks work in a Windows environment. Just my 2-cents.

Making moves

OT this particular thread, but for the record, I just ran msert on a moderate-size W10 system (but including some of my outboard backup drives) and it took ~23h. While running, the scan counter logged 750 or so 'infected' files in toto ... and then, after it was all finished, without further report it said 'No problems or viruses or malware detected'. 

So woohoo, I guess.

Decached FF and stopped using it. Edge and Chrome are enough.

Further OT:
The chief, and amazing, improvement I just half-accidentally effected in this ancient XPS8920 Dell tower was recently buying and installing too much (by accident) ram. 48G altogether now.
The difference is really something. Esp if you keep dozens of tabs open. Not a gamer, a historical-novel writer. 

Anyway, fyi about msert. 

Making moves

Same happening here. By now I would have thought Mozilla would be all over this and have fixed it.

Making moves

my feedback to microsoft please comment or upvote so it can maybe get dealt with.

 Thank you. Excellent. I sent them a copy of one of my earlier detailed complaints.

For now, if I don't forget to shut off FF & T-Bird, everthing is cool.

I suppose there is a way to schedule those to shut themselves down, but it's over my head.

Making moves

Well, after a few days problems making a Windows backup, I finally managed to make one, and without deleting caches and cookies.

In windows backup I edited preferences, and excluded  every cache2 folder from Mozilla Firefox AND Thunderbird, and I did that for EVERY profile folder that had a cache2 folder in it. For me 2 for Firefox, and 3 for Thunderbird.

After that I started a backup again, and it took longer that prior backups. I think because the settings changed it made a full backup, judging on the size.

Better check you backup history, after all the trying I seem to mis a few versions from just before the troubles.


Btw, it is always possible that MS updated its virus definition file in the mean time, so please let us know if you managed to make a backup without changing anything.

I can confirm that unchecking AppData folder in Windows Backup allows the backups to complete successfully. Excluding AppData maybe to broad rather than just Mozzilla cache2 folder, but it was easier for me.

My last update to MS virus definition took place on 01/01/24 at 1:40 pm PST. The backups were still failing this morning until I excluded AppData folder.

I really don't think it is a good idea to exclude the whole appdata folder from the backup, in 20 seconds more you are at the profiles folders. And sure you want the FF and TB profile folders in your backup, so:


and if you also use Thunderbird:


For xxxxxxxxx, look in every folder in the \profiles\ folder for a cache2 folder, and exclude it from the backup to be sure.


A quicker way of finding the location of ALL cache 2 folders is to use Everything - free .  It's one of the most useful programs I've ever had. 

Thanks for saying that out loud.  Sometimes I get too hard-core into troubleshooting that I overlook the simplest and most effective step of just....excluding the cache folder.

I'm sure someone can (and will) make a case for why you'd want cache2 in your backup, but since everyone also suggests that you just flush the cache when exiting FF, seems like this is the solution that will solve this issue for me right now.

Good point, the cache is empty anyway.

Clearing cache when closing Firefox also deletes all cookies (as far as I could see), and for some that can be a hard one to get used to. I try to avoid that, I clear individual site cookies only when I have to.

What's wrong with you people?  Clicking on clearing cache on closing is one option in FF.  You have to also click Cookies if you want them removed too.  Otherwise they are not removed. Pay attention.

Sorry RobW, in my settings, at closing down Firefox I cannot choose to only delete cache and not the cookies, only when deleting the cache manually I can do that. And when I did clear only the cache manually, and directly closed down FF, the backup still failed.

You are not correct.  Go to Tools/Settings/Privacy & Security/Clear History/ click that and Setting on the right becomes available.  You now have a selection of ticking history, cookies cache, etc. Select Cache only.

It's much easier in Thunderbird because the clearing cache box resides on the General page in plain sight.

Thank you ! So these two ticks not only are for clearing on demand, but also when closing Firefox ? That was not clear for me then 🤔

Mozilla uses the word 'History' to mean more than just 'browsing' History.  The line says Clear History when Firefox closes.  If that box is NOT ticked you do not have access to Settings to the right.  When it is clicked you can open Settings and select what you wish.  There are 7 options, Cache being one of them.

😠 I made a complete fool of myself by being in the wrong place in the settings. The whole time I was adjusting 'Cookies and website data' (or similar in English). That is above the History. Even after your comments I was not changing the History settings. Found it after I encountered more doubts through your text (It is partly a translation thingy to Dutch).


No you didn't.  It's not obvious at all.  I did not find it myself but followed advice from some other user back on the 27th, 28th or similar date where they explained in detail how to access cache and have it clear on closing FF.  The trick running backup after that is you MUST close FF (or TBird) otherwise it will fail.

As to others that insist this is a Defender issue, the problem did not exist for most users until FF update 121.0 was applied.  Defender may be/is falsely identifying a FF cache2 entry or entries as being a trojan but the issue is that Mozilla has these cache2 entries formatted in a manner that causes Defender algorithms to 'think' they see a trojan.  It's up to Mozilla to determine the problem and take corrective action which may also involve Microsoft.  They can do so quite easily because they have the ability to test their software against Defender definitions.  It's Mozilla who have a vested interest in ensuring FF runs properly and does not cause problems.  FF is small potatoes in the Microsoft world.

It looks like there are at least two different ways to clear cache in FF. The first one is under History as RobW pointed out, the other one is under Cookies and Site Data. One needs to click on Clear Data button and will be presented with two choices to delete Cookies and Site Data, Cached Web Content or both.

Familiar face

I think, RobW has found the most convenient way to clear the browser cache on the FF closure. Thank you, RobW!

Familiar face

I can't take credit for this.  It was jackb on the 27th who posted the method and I followed it.  Backup still failed but Defender posted a note that cache2 in Thunderbird was the culprit.  I googled that and found there was a similar method in TBird and followed that.  As long as both programs are closed backup is always successful.

tomhummus has reported Mozilla is looking into this issue and I'm sure it will be corrected.

Making moves

i had this happen to me while using a 2 years outdated Basilisk browser with the UBlock Origin extension. I only use it to check the weather with about 20 static tabs so i didnt bother to update it. It happened a few minutes after i finally decided to run a backup (Win 7 type) after the OS had been nagging me for months. I created a separate partition on the HDD for backups, then selected Win7 type and after a few minutes WinDefender popped up with the scary malware notification and at the same time the OS notified me that the backup had failed.  Eventually i just deleted all files on the backup partition and tried again and it worked. WinDefender said it wasnt certain that it had quarantined the malware.

In the next few hours i bought Eset Internet Security and Malwarebytes Pro version and installed both and neither found anything.

Making moves

Same prob here. Since 31/12/23 when a back up ran.

Defender finds the Trojan in shadow copy 30, quarantines it and removes it, but it keeps being detected. I’ve not had any weird behaviour so I’m hoping it is a false positive. 

This was on my Win7 laptop only even though I use FF across multiple laptops. Is the delete FF cache and delete restore points the suggested way forwards? 

Some other online resources keep pointing to running Spyhunter.

I ran Malwarebytes and it crapped out doing a full scan.

Currently running super anti spyware full scan. I also ran it two days ago when this first showed up, it only found ad tracking objects. 



Defender found and deleted the flagged profile file in the shadow copy. I deleted FF cache and closed it, ran full disk virus scans using three different scanners including Defender. All clear. Ran a back up and it ran fine. 

Now I’ve started FF and updated it, re logged in to a few sites… will see whether back up fails and Defender triggers again. 

Making moves

I'm on Win10 and just had my monthly Win7-style backup fail due to an infected file.  Investigation showed that like the others. trojan:HTML/Phish!pz was found in a Firefox cache2 entry.  I am not running Glarry or uBlock.  Win Defender detected the threat but was unable to "fully remediate" it despite several tries.  I deleted the entry and eventually cleared the entire cache, but it reappeared next time I ran FF, though I believe the filename was different.  I also ran Msft's offline scan program, which behaved oddly--it took a long time to run (4 million files) and was reporting 155 infections but then it seemed to hang for at least 5 minutes (though Task Manager showed it consuming CPU and disk).  I assumed it had gone off into the weeds and hit cancel, which did not seem to have any effect immediately, but after a minute or two, the program appeared to end normally and reported that no infection was found(!).

I have no idea what it's doing, if anything, on my machine.  I do nightly incremental backups with SyncBack and those are running without complaint, though I suspect they are simply not looking for malware.  I am more concerned with removing the threat permanently than finding a work around so that backups will run.

I think everybody has come to the conclusion that more likely than not this is a false positive. Submit your feedback to Microsoft through the Windows Defender application. Some people has done so already.

Familiar face

You are wasting your time if you think Microsoft will be interested in dealing with an issue affecting somewhere between 7-10% of browser users.  That's the approximation for FF.  It's Mozilla who has a vested interest in ensuring their community product performs for their users.  If this problem resides with Defender, it's up to Mozilla to prove that first and then take ti to Microsoft.  You will not be successful putting the cart before the horse by trying to contact MS.

Personally, I believe the issue is caused by FF, not Defender.  In the meantime it can be alleviated by having FF clear cache when closing OR removing cache2 from the backup process in User AppData.  Either one of these will ensure your Restore point is not compromised as well.

Also, reading comments  by new posters, it's apparent they are not reading the early forum postings from the 28th +.

Not reading the comments seems a problem for this forum I think, I myself regularly loose track of what is posted where.

I have posted a Defender feedback report for MS, just to put a bit of pressure. If no one does, no one bothers.

For now we are dependant on coders from Mozilla or Microsoft to find the reason. In the mean time better exclude the cache2 folders from backing up by editing the preferences of Windows Backup:


and if you also use Thunderbird:


For xxxxxxxxx, look in every folder in the \profiles\ folder for a cache2 folder, and exclude it from the backup to be sure. I had 5 in total, didn't even bother to look if they were empty or not.

See my post on 01-02-2024 07:55 AM

Update:  I may have solved the problem.  These were the steps (in Win10):

  1. Close FF
  2. In Explorer, navigate to the cache2\entries folder where Windows Defender reported the threat, then delete all files in that folder.
  3. Open the Properties panel of C:\ and click on Disk Cleanup
  4. Click on Cleanup System Files
  5. After it does some space calculations, click on the More Options tab at the top of the panel
  6. Click on the System Restore and Shadows Copies Clean Up button
  7. Confirm your selection till it gets tired of asking the same question.

I then ran a complete Defender scan, which came up clean, double checked that Cache2\entries was still empty, then ran the Win7 backup that I usually do.  This time, the backup completed with no problem.

A few comments--I suppose there's not much harm in excluding all cache files from backup, but I am not happy about leaving a known bit of malware in place.  What else might it be doing besides screwing up your backup?  I have not seen any consensus about what this entity really is, so I prefer to avoid the risk if I can.

Another thing, is this procedure is not without risk, in that it eliminates all but your most recent restore point.  I've resorted to restore points very seldom and I'm pretty sure I never needed anything older than the latest one, but your mileage may vary, so think about it.  Perhaps there's a way to eliminate the shadow copies while maintaining the restore points--or maybe that doesn't make any sense, dunno.

Finally, this has been my first encounter with a persistent threat, one that reappears after you think you have deleted it.  I will not be surprised to find that it reappears somewhere else in the future.  Hopefully by then, enough smart people will have dealt with it to come up with a definitive eradication method.