Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender reporting Trojan:HTML/Phish!pz threat with Firefox

Making moves

Multiple items quarentined by Microsoft Defender. It is reporting Trajon:HTML/Phish!pz is detected in Firefox cache. Some examples being:




258 REPLIES 258

Be aware, this is not a virus or a threat. Its a bug in the detection, a "false positive". There is no malware.

Hope so.  It's just kind of hard to get an authoritative version of things on the net.  I guess it would be in Msfts court to acknowledge the false positive (and fix their signature detection).

This is why we all need to submit our feedback through Windows Defender. Someone on this thread has done it already. We all should do so as well. Hopefully, MS will hear us..  

The reason why people see it as a false positive is because at every try to make a backup, it fails on the same threat: Trojan:HTML/Phish!pzBut, but every try also the filename changes (and sometimes even the path to the cache2 folder). And all these different files that are getting flagged are from different origin, we have opened a few.

Also, we copied some of these flagged files out from the backup, and scanned them with Defender. I even uploaded them to virustotal. Nowhere a virus to be found.

About the latest restore points, you could have a valid point here.... Looking at it after your comment, my latest restore point now is from Dec 22th, and that is strangely short time.... I have some older, but these are located in full system backups.

Are you suggesting that with excluded files from the backup Windows will not allow more restore points than the latest ? It is indeed a problem to restore a system if only partly folders are 'original'.

And if you copies those flagged files out of a shadow copy and scan them again, at that point Windows Defender find nothing at all in the same files, which it had flagged as infected previously.

After you excluded the cache2 folders from BU, did you take a look at your restore points, and noticed only the latest are there as lurker212 suggested ? (See my prior comment)


I got this problem exclusively only during backup with Win7-proc. Any defendercheck to the original cache is running ok. Meanwhile I'm deleting the cache2 directory manually (FF and SM both the same at win7-backup under Win10) after closing FF and SM, repeat my backup, restart FF and SM and that's it.

Obviously the backup compresses the cache and defender inhibits the write to the backup-disk (shadow). So f....... them both, stop FF and SM, delete all cache2, restart backup, restart FF and SM.

(Before I did checking down to hell everything, uninstall and reinstall FF and SM, looked in cache2 and ...... I'm sad for more checking, no mor problem . just killing cache2 and restart backp + browsers).


PS I'm doing this on two PCs since Christmas. I think, Mozilla has no chance to avoid it, because defender is inhibiting the backup-file - NOT the original cache2-file. I tested this multiple times before using the above procedure.

Forgot: no addin's in both and FF and SM at newest level. You have to delete /cache2/* completely by hand, best idea in every profile cache2 exists, the tools-bar clear cache will not help (FF and SM).




Familiar face

TomH submitted this bug to Mozilla team a few days ago. Here is the link. They seem to be looking at it

1872395 - HTML/Phish!pz threat appears in Firefox cache after update to 121.0 

Thanks, to keep an peeking eye on for now.

Familiar face

As I have said a number of times, it's Mozilla who is responsible for determining where the problem lies, affecting their software.  NOT Microsoft.

and you were wrong every time. Its not Mozilla's fault Microsoft's software is detecting this string as something it isn't. Its not a big deal, virus checkers get false positives wrong regularly, and they get fixed after being reported. Note that only Defender is reporting this, other virus checkers are not flagging it.

I am not wrong.  FF made some recent changes and this caused Defender to define ??something?? as being a trojan when it isn't.  Mozilla needs to determine what that is and correct it.  Possibly the problem could reside with Defender but it's still up to Mozilla to determine that and if necessary, approach Microsoft.

I have been watching this thread all the way through. The same thing has happened to me. It started 12/30. I don't believe it is a Mozilla problem, because I'm one of those people that doesn't do the updates when they are supposed to. I am running a pretty old version of Mozilla Firefox and Thunderbird, but in trying to do the Windows 7 backup, it flagged a file in my cache2 folder of a shadow copy. Running all the suggested Microsoft scans and the one that scans offline, nothing was found. Super anti-spyware did not find it either. What worked, was finding all the cache2 folders, doing a 'select all', and deleting all their contents. I would note that before I do a backup, I do a super anti-spyware scan with all programs closed. Then I do a Windows 7 backup. Never had a problem before. The backup I did after following these new steps worked. I am in the middle of doing a backup now. Will post more if it fails.

My way to deal with the cache2 folders was to download the Everything app and find them. Then I pinned them to my quick start menu. Now it's very simple to open each of them and delete the contents before I do my backup.

Logically, it makes sense to me that it is a Windows defender problem, because, like I said, I am running old versions of Firefox and Thunderbird that have not been updated in a long time.

What version of FF and TBird are you using?

Hello Greenthumb,

The version of Firefox or Thunderbird is pretty much immaterial. The problem is that Defender is now calling out cache2 files as bad. Backup & Restore (Windows 7) will fail as long as cache2 exists. The easy way to get rid of cache to is to set Firefox, and Thunderbird if needed, to delete the cache when Firefox, or Thunderbird) closes, ( for every user on the PC.

Correct, Defender is reporting the virus, in my case on 2 Win10 PC's and 2 Win11 PC's,but not deleting or quarantining it.  I loaded BitDefender on one PC and Norton365 on another PC.  Ran full scans on both PC's and they didn't find anything, but my backups ran fine.  But as soon as I uninstalled BitDefender and Norton365 Windows Defender stared finding the virus again and my backups failed.

So I don't really know whether this is a false positive, as many here are claiming, or not.  But if it is, then the fault lies with Microsoft, not Mozilla.  Mozilla should not be held accountable for mistakes that other companies make which affect its products, though it is reasonable to think that they would be active in clarifying the errors of others.

I have to disagree with you on this point, RobW. Let me give you an example. I use LibreOffice on all of my Linux boxes and even some of my Windows machines. A couple years ago Immunet and Trend Micro started reporting malware in LibreOffice. Trend wouldn't even allow the download of the installation files and Immunet said the install had bugs in a bunch of files. Trend eventually discovered it was an errant URL block, and Immunet decided it was a false positive.

None of the other malware scanning products detected a problem with LibreOffice. Using your logic, wouldn't we be saying the problem was LibreOffice's to solve, not Immunet's or Trend Micro's?

Making moves

It's a week later, issue is still there... for the time being I'm still going to still assume it's windows defender flagging random files as a trojan and tell windows backup to ignore Appdata/Local/Mozilla so my backups can complete. Would love to see some feedback/confirmation from Mozilla/MS on this.

Making moves

After some evaluating and checking my system, I have to come to the agreement this issue is a false positive. The computers I am using are not used for gaming or general browsing. I visit specific web pages run by MS support, Google, and a few other corporations. I never open unsolicited emails and email attachments.

Since the virus scanner can spot this cache file, this means if the actual virus was in my computers the virus scanner would have flagged them also, and especially for when I do a full scan. I also did an offline scan with this virus scanner where it rebooted the computer and did an offline scan before Windows started.

I have FF set up now on all my computers where when I close FF the cache is deleted. When I make a backup I close FF for during the session.  If I need the computer for my work, I use another computer. Most of the time I do the backups over night. If done during the day, they are done while I am out of my office. 

Making moves

Mozilla is looking into the issue. They need a regression analysis of an affected FF. I will be able to deliver one end of the week, but if one also wants to contribute one earlier, please go ahead and upload it to the bugzilla report:

Tom, I do not have an account to add this to the bug report.  If you could please let them know this issue started on my system: Win7-64 FF 115.6esr on 12/26/2023 with the MSE

security intelligence update version 1.403.1150.0

Prior to that  Security Intelligence Update for Microsoft Security Essentials - KB2310138 (Version 1.403.1057.0) - Current Channel (Broad) had been installed 0n 12/24/2023 and did not cause the issue when running system backups at 7:00pm EST.  Hopefully, that will help MSFT track down the issue.

Hey BarnStormer, sure, I added this context to the bug comments!
It seems that the issue should be tackeld by Microsoft and not Mozilla. I was not able to do a proper regression analysis, since the detection also persists with older versions of Firefox/Thunderbird. Thats tracking it down to a issue with defender. But as someone wrote here before, maybe Mozilla developers have greater leverage over Microsoft development than users have.

Making moves

I ran a full scan (took about 30 hours). While scanning, the status screen showed more than 1,600 infected files. When it was done, only HTML/Phish!pz was identified, and it reported it as removed. (Does that mean this virus was in all of the infected files?) Immediately thereafter, Defender said "0 current threats. No action needed."

Since then, I have been getting "Check your backup" warnings. It indicates the backup location is my external drive, and has error code 0x800700E1. The Defender Virus & threat protection tab lists several "Current threats" as "Severe" and "Remediation incomplete."

Detected: Trojan:HTML/Phish!pz
Status: Failed
This threat or app might not be completely remediated.
This program is dangerous and executes commands from an attacker.
Affected items: file: \Device\HarddiskVolumeShadowCopy8\Users\swolf\AppData\Local\Mozilla\Firefox\Profiles\la4ol7le.default-1642869000923\cache2\entries\012BBA2EEA31C58C0C39119A9C73F9E669DD2AC0 [and several other similar paths]

It also lists as "This app has been blocked" for

I am unable to complete a backup.

Hello Swolfearch,

The first problem, Trojan:HTML/Phish!pz, is a problem with Defender flagging bad various files in either the Firefox or Thunderbird cache2 directories. Mozilla support is looking at it under It is easily bypassed in the meantime by setting Firefox and Thunderbird to clear the cache when closing the program and then making sure that both are closed when backup is running. You might have to delete the shadow copy also.

The second problem looks to have already been resolved by Defender.

Familiar face

Thank you jackb.  After making the changes you suggested to FF on the 27th and TBird which I later discovered, I found I did not need to deal with restore point shadow copies.   It 'appears' that restore points are set by System after backup is run so when it runs successfully you will not have any Defender notations that a trojan was discovered in a shadow copy.

Go to the indicated folder itself and delete the cache file. Or you can simply delete all the cache files in that folder.  When FF starts up again it will recreate the files as required.   Sometimes Defender does not delete that cache file.

I set FF to delete all the cache files when closing. If you are using Thunderbird and have this issue you must also do the same for its cache.

After deleting the file, also empty the recycle bin. Defender also scans the recycle bin.

I started to see this issue shortly after the last update of FF.

Recycle bin doesn't seem to matter.   Manually clearing FF cache and restore points (shadow copies) if needed does not result in entries appearing in recycle bin.

I first tried deleting the specific cache files identified by Defender. That didn't work; new files were identified every day. I cleared the cache and changed the settings so the cache is cleared automatically when I leave Firefox, then deleted all files in the ...cache2\entries\ folder. I did not delete the recycle bin. Before restarting Firefox, I was able to complete a backup. Since I started Firefox this morning, and have received no warnings. I'll report back in a day or so. I did see that I have restore points only since I started tweaking, but I have never used one, so I'm not sure if that was a great loss. Thanks to Jerryg50, Jackb, lurker212, and all who contributed to this thread.

Making moves

I'm having the same issue. Just found out on Jan 4, 2024 when I start a Win 7 manual backup (on a Win 10 PC with FF 121). Strange thing is it only triggers WinDefender notification when it creates a shadow copy. I did a Full Scan. Nothing found. Retry backup, there it is again, Trojan:HTML/Phish!pz.

Rescan the entire drive, nothing found, again. Redo the backup, Trojan:HTML/Phish!pz found.

I just cleared Firefox cache for all users. Restarting the backup. So far no detection yet. Backup is in progress right now.

Making moves

I would clarify that the cache2 folders whose contents I deleted were for both Firefox and Thunderbird.

Also, I empty the recycle bin just to be on the safe side.

I don't use Ublock or Glary. But I do have an Adblock Plus extension in Firefox. I'm very careful where I go, but I do a lot of shopping on Amazon.

I don't respond to emails that are suspicious, but lately I keep getting emails that I have not signed up for, and have hit the unsubscribe button in several of them to remove me from the subscription list. It opens Firefox by default, and takes me to a page to unsubscribe. Perhaps that had something to do with it?

Making moves

 Based on the advice from   I Ran a SFC & DISM scan.

  1. Press the Windows key, type cmd, and select Run as administrator.
  2. Click Yes in the User Account Control (UAC) window.
  3. In the command prompt window, type in the following command   sfc /scannow and hit Enter:

 It's been 2 hours  and the defender virus "false" report hasn't reappeared.

Warning. this scan takes hours to complete.

Sorry to tell you, but this is just the default answer of these stupid "Microsoft employees" / volunteers that should actually have been replaced by more capable bots long ago 😕

I doubt it ever even helped a single person, would be highly surprised if the issue doesn't come back for you.

  Defender hasn't notified me of any viruses since I ran sfc /scannow .

 The bad news is  I still can't complete a Windows back up.  I get about 2/3rds of the way  through and  the back up stops because  Windows found a virus.

  Just like everyone else, no amount of virus scans show any problems at all.

Familiar face

Something out of whack with your computer.  When I run either SFC Scannow or DISM it takes minutes.  SFC scans in seconds, a little longer if it finds errors.

Making moves

 I had to turn off  sleep mode. After that it finished the last  25 percent in less than an hour.

Making moves

Ich habe die Schattenkopien gelöscht und die Dienste für Shadow-Services deaktiviert mit Msconfig und neu gebootet. Danach lief der Defender als Full-scan ohne Fehlermeldung mit Phish!pz erstmalig durch. Leider kann ich ohne Shadow keine Sicherung fahren. In dem Moment, wo ich die Shadow-Dienste wieder aktivier und die Sicherung fahre, fährt die Sicherung zum Schluss mit Virenwarnung vor die Wand.

Making moves

Not sure this behaviour has been cited in previous posts but I ran a backup with the FF profile cache excluded and MSE went from finding the Trojan in the soft backup directory, to the unhidden cache2 directory. A virus scan just before backup did not report a virus. I had MSE remove the file and back up ran ok. 

Like others have reported, if the FF cache is cleared then back up runs ok, but logging back into every site I want to have ready access to is a complete pain. I can’t recall if keeping cookies but deleting the rest of the cache (via FF settings) causes the Trojan to flag on back up. I haven’t been diligently noting the outcomes of all the things I’ve tried. 

It is clear that there is a direct correlation between the Trojan flagging in MSE and the running of the backup.

I have just set up Super anti spyware and MSE to be able to do a custom scan on just the “infected” directory. Next time I’m bothered to run a backup, or after the automated weekly backup and the Trojan is detected again, I’ll run scans on just the directory to see what comes up.

In the meantime, in the time between backups after MSE deletes the flagged file, every scan  using SASW, MSE and Malware bytes, runs clean. I don’t visit compromised sites or open suspicious emails… and I’m only using certified FF extensions.

This seems more and more likely to be a false positive. 

Keeping cookies is OK. I am repeating others here:

Firefox: 'Tools - Settings - Privacy & Security - History - Clear History when closing down'. The settings on the right of that can be opened. In there select 'cache' only.

If you use Thunderbird too: 'Settings - General page - Disk space - Clear cache when closing down'.

Before you run you Windows Backup, close down Firefox and Thunderbird. So turn your BU schedule off, and try to remember to start it manually once in a while.


Another way is to go into the BU settings, and exclude every cache2 folder (in every separate folder in \Users\[user]\AppData\Local\Mozilla\Firefox\Profiles\ ), and do that for Thunderbird too. I excluded 6 cache2 folders that way.