12-16-2023 07:33 PM
Multiple items quarentined by Microsoft Defender. It is reporting Trajon:HTML/Phish!pz is detected in Firefox cache. Some examples being:
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\077D332D18D04002F4E4F2029C7BBDBD6075BBD8
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\087BCF7C6435165AD81CEA178C340D8C71CA965E
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0DB91AB2260ACFD2290F3A56BDB862D6F2359779
C:\Users\UserName\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0E79D7DDB0575B34F6E2A2DC0D77F7B91117DABB
01-03-2024 07:15 AM
Be aware, this is not a virus or a threat. Its a bug in the detection, a "false positive". There is no malware.
01-03-2024 07:29 AM
Hope so. It's just kind of hard to get an authoritative version of things on the net. I guess it would be in Msfts court to acknowledge the false positive (and fix their signature detection).
01-03-2024 07:32 AM
This is why we all need to submit our feedback through Windows Defender. Someone on this thread has done it already. We all should do so as well. Hopefully, MS will hear us..
01-03-2024 07:42 AM - edited 01-03-2024 07:59 AM
The reason why people see it as a false positive is because at every try to make a backup, it fails on the same threat: Trojan:HTML/Phish!pzBut, but every try also the filename changes (and sometimes even the path to the cache2 folder). And all these different files that are getting flagged are from different origin, we have opened a few.
Also, we copied some of these flagged files out from the backup, and scanned them with Defender. I even uploaded them to virustotal. Nowhere a virus to be found.
About the latest restore points, you could have a valid point here.... Looking at it after your comment, my latest restore point now is from Dec 22th, and that is strangely short time.... I have some older, but these are located in full system backups.
Are you suggesting that with excluded files from the backup Windows will not allow more restore points than the latest ? It is indeed a problem to restore a system if only partly folders are 'original'.
01-03-2024 07:46 AM - edited 01-03-2024 07:46 AM
And if you copies those flagged files out of a shadow copy and scan them again, at that point Windows Defender find nothing at all in the same files, which it had flagged as infected previously.
01-03-2024 08:05 AM
After you excluded the cache2 folders from BU, did you take a look at your restore points, and noticed only the latest are there as lurker212 suggested ? (See my prior comment)
01-07-2024 01:04 PM - edited 01-07-2024 01:24 PM
I got this problem exclusively only during backup with Win7-proc. Any defendercheck to the original cache is running ok. Meanwhile I'm deleting the cache2 directory manually (FF and SM both the same at win7-backup under Win10) after closing FF and SM, repeat my backup, restart FF and SM and that's it.
Obviously the backup compresses the cache and defender inhibits the write to the backup-disk (shadow). So f....... them both, stop FF and SM, delete all cache2, restart backup, restart FF and SM.
(Before I did checking down to hell everything, uninstall and reinstall FF and SM, looked in cache2 and ...... I'm sad for more checking, no mor problem . just killing cache2 and restart backp + browsers).
Peter
PS I'm doing this on two PCs since Christmas. I think, Mozilla has no chance to avoid it, because defender is inhibiting the backup-file - NOT the original cache2-file. I tested this multiple times before using the above procedure.
Forgot: no addin's in both and FF and SM at newest level. You have to delete /cache2/* completely by hand, best idea in every profile cache2 exists, the tools-bar clear cache will not help (FF and SM).
01-03-2024 08:45 AM
TomH submitted this bug to Mozilla team a few days ago. Here is the link. They seem to be looking at it
1872395 - HTML/Phish!pz threat appears in Firefox cache after update to 121.0
01-03-2024 09:14 AM - edited 01-03-2024 09:17 AM
Thanks, to keep an peeking eye on for now.
01-03-2024 09:29 AM
As I have said a number of times, it's Mozilla who is responsible for determining where the problem lies, affecting their software. NOT Microsoft.
01-03-2024 09:41 AM
and you were wrong every time. Its not Mozilla's fault Microsoft's software is detecting this string as something it isn't. Its not a big deal, virus checkers get false positives wrong regularly, and they get fixed after being reported. Note that only Defender is reporting this, other virus checkers are not flagging it.
01-03-2024 09:47 AM
I am not wrong. FF made some recent changes and this caused Defender to define ??something?? as being a trojan when it isn't. Mozilla needs to determine what that is and correct it. Possibly the problem could reside with Defender but it's still up to Mozilla to determine that and if necessary, approach Microsoft.
01-06-2024 11:47 AM
I have been watching this thread all the way through. The same thing has happened to me. It started 12/30. I don't believe it is a Mozilla problem, because I'm one of those people that doesn't do the updates when they are supposed to. I am running a pretty old version of Mozilla Firefox and Thunderbird, but in trying to do the Windows 7 backup, it flagged a file in my cache2 folder of a shadow copy. Running all the suggested Microsoft scans and the one that scans offline, nothing was found. Super anti-spyware did not find it either. What worked, was finding all the cache2 folders, doing a 'select all', and deleting all their contents. I would note that before I do a backup, I do a super anti-spyware scan with all programs closed. Then I do a Windows 7 backup. Never had a problem before. The backup I did after following these new steps worked. I am in the middle of doing a backup now. Will post more if it fails.
My way to deal with the cache2 folders was to download the Everything app and find them. Then I pinned them to my quick start menu. Now it's very simple to open each of them and delete the contents before I do my backup.
Logically, it makes sense to me that it is a Windows defender problem, because, like I said, I am running old versions of Firefox and Thunderbird that have not been updated in a long time.
01-06-2024 11:56 AM
What version of FF and TBird are you using?
01-06-2024 03:08 PM
Hello Greenthumb,
The version of Firefox or Thunderbird is pretty much immaterial. The problem is that Defender is now calling out cache2 files as bad. Backup & Restore (Windows 7) will fail as long as cache2 exists. The easy way to get rid of cache to is to set Firefox, and Thunderbird if needed, to delete the cache when Firefox, or Thunderbird) closes, (https://support.mozilla.org/en-US/kb/how-clear-firefox-cache) for every user on the PC.
01-10-2024 06:02 PM
Correct, Defender is reporting the virus, in my case on 2 Win10 PC's and 2 Win11 PC's,but not deleting or quarantining it. I loaded BitDefender on one PC and Norton365 on another PC. Ran full scans on both PC's and they didn't find anything, but my backups ran fine. But as soon as I uninstalled BitDefender and Norton365 Windows Defender stared finding the virus again and my backups failed.
01-03-2024 09:46 AM
So I don't really know whether this is a false positive, as many here are claiming, or not. But if it is, then the fault lies with Microsoft, not Mozilla. Mozilla should not be held accountable for mistakes that other companies make which affect its products, though it is reasonable to think that they would be active in clarifying the errors of others.
01-03-2024 11:19 AM - edited 01-03-2024 11:25 AM
I have to disagree with you on this point, RobW. Let me give you an example. I use LibreOffice on all of my Linux boxes and even some of my Windows machines. A couple years ago Immunet and Trend Micro started reporting malware in LibreOffice. Trend wouldn't even allow the download of the installation files and Immunet said the install had bugs in a bunch of files. Trend eventually discovered it was an errant URL block, and Immunet decided it was a false positive.
None of the other malware scanning products detected a problem with LibreOffice. Using your logic, wouldn't we be saying the problem was LibreOffice's to solve, not Immunet's or Trend Micro's?
01-03-2024 11:33 AM
It's a week later, issue is still there... for the time being I'm still going to still assume it's windows defender flagging random files as a trojan and tell windows backup to ignore Appdata/Local/Mozilla so my backups can complete. Would love to see some feedback/confirmation from Mozilla/MS on this.
01-03-2024 05:39 PM
After some evaluating and checking my system, I have to come to the agreement this issue is a false positive. The computers I am using are not used for gaming or general browsing. I visit specific web pages run by MS support, Google, and a few other corporations. I never open unsolicited emails and email attachments.
Since the virus scanner can spot this cache file, this means if the actual virus was in my computers the virus scanner would have flagged them also, and especially for when I do a full scan. I also did an offline scan with this virus scanner where it rebooted the computer and did an offline scan before Windows started.
I have FF set up now on all my computers where when I close FF the cache is deleted. When I make a backup I close FF for during the session. If I need the computer for my work, I use another computer. Most of the time I do the backups over night. If done during the day, they are done while I am out of my office.
01-03-2024 11:00 PM
Mozilla is looking into the issue. They need a regression analysis of an affected FF. I will be able to deliver one end of the week, but if one also wants to contribute one earlier, please go ahead and upload it to the bugzilla report:
01-07-2024 10:13 AM
Tom, I do not have an account to add this to the bug report. If you could please let them know this issue started on my system: Win7-64 FF 115.6esr on 12/26/2023 with the MSE
Prior to that Security Intelligence Update for Microsoft Security Essentials - KB2310138 (Version 1.403.1057.0) - Current Channel (Broad) had been installed 0n 12/24/2023 and did not cause the issue when running system backups at 7:00pm EST. Hopefully, that will help MSFT track down the issue.
01-07-2024 10:54 AM
Hey BarnStormer, sure, I added this context to the bug comments!
It seems that the issue should be tackeld by Microsoft and not Mozilla. I was not able to do a proper regression analysis, since the detection also persists with older versions of Firefox/Thunderbird. Thats tracking it down to a issue with defender. But as someone wrote here before, maybe Mozilla developers have greater leverage over Microsoft development than users have.
01-04-2024 09:49 AM
I ran a full scan (took about 30 hours). While scanning, the status screen showed more than 1,600 infected files. When it was done, only HTML/Phish!pz was identified, and it reported it as removed. (Does that mean this virus was in all of the infected files?) Immediately thereafter, Defender said "0 current threats. No action needed."
Since then, I have been getting "Check your backup" warnings. It indicates the backup location is my external drive, and has error code 0x800700E1. The Defender Virus & threat protection tab lists several "Current threats" as "Severe" and "Remediation incomplete."
Detected: Trojan:HTML/Phish!pz
Status: Failed
This threat or app might not be completely remediated.
This program is dangerous and executes commands from an attacker.
Affected items: file: \Device\HarddiskVolumeShadowCopy8\Users\swolf\AppData\Local\Mozilla\Firefox\Profiles\la4ol7le.default-1642869000923\cache2\entries\012BBA2EEA31C58C0C39119A9C73F9E669DD2AC0 [and several other similar paths]
It also lists as "This app has been blocked" for
PUA:Win32/Spigot
PUABBundler:Win32/PiriformBundler
PUAD|Manager:Win32/InstallCore
APPaTube_Catcher_BundleInstaller
PUA:Win32/Presenoker
I am unable to complete a backup.
01-04-2024 10:09 AM
Hello Swolfearch,
The first problem, Trojan:HTML/Phish!pz, is a problem with Defender flagging bad various files in either the Firefox or Thunderbird cache2 directories. Mozilla support is looking at it under https://bugzilla.mozilla.org/show_bug.cgi?id=1872395. It is easily bypassed in the meantime by setting Firefox and Thunderbird to clear the cache when closing the program and then making sure that both are closed when backup is running. You might have to delete the shadow copy also.
The second problem looks to have already been resolved by Defender.
01-04-2024 10:33 AM
Thank you jackb. After making the changes you suggested to FF on the 27th and TBird which I later discovered, I found I did not need to deal with restore point shadow copies. It 'appears' that restore points are set by System after backup is run so when it runs successfully you will not have any Defender notations that a trojan was discovered in a shadow copy.
01-04-2024 09:16 PM
Go to the indicated folder itself and delete the cache file. Or you can simply delete all the cache files in that folder. When FF starts up again it will recreate the files as required. Sometimes Defender does not delete that cache file.
I set FF to delete all the cache files when closing. If you are using Thunderbird and have this issue you must also do the same for its cache.
After deleting the file, also empty the recycle bin. Defender also scans the recycle bin.
I started to see this issue shortly after the last update of FF.
01-05-2024 09:20 AM
Recycle bin doesn't seem to matter. Manually clearing FF cache and restore points (shadow copies) if needed does not result in entries appearing in recycle bin.
01-07-2024 08:37 AM
I first tried deleting the specific cache files identified by Defender. That didn't work; new files were identified every day. I cleared the cache and changed the settings so the cache is cleared automatically when I leave Firefox, then deleted all files in the ...cache2\entries\ folder. I did not delete the recycle bin. Before restarting Firefox, I was able to complete a backup. Since I started Firefox this morning, and have received no warnings. I'll report back in a day or so. I did see that I have restore points only since I started tweaking, but I have never used one, so I'm not sure if that was a great loss. Thanks to Jerryg50, Jackb, lurker212, and all who contributed to this thread.
01-05-2024 10:52 AM - edited 01-05-2024 10:54 AM
I'm having the same issue. Just found out on Jan 4, 2024 when I start a Win 7 manual backup (on a Win 10 PC with FF 121). Strange thing is it only triggers WinDefender notification when it creates a shadow copy. I did a Full Scan. Nothing found. Retry backup, there it is again, Trojan:HTML/Phish!pz.
Rescan the entire drive, nothing found, again. Redo the backup, Trojan:HTML/Phish!pz found.
I just cleared Firefox cache for all users. Restarting the backup. So far no detection yet. Backup is in progress right now.
01-06-2024 11:56 AM
I would clarify that the cache2 folders whose contents I deleted were for both Firefox and Thunderbird.
Also, I empty the recycle bin just to be on the safe side.
01-06-2024 11:59 AM
I don't use Ublock or Glary. But I do have an Adblock Plus extension in Firefox. I'm very careful where I go, but I do a lot of shopping on Amazon.
I don't respond to emails that are suspicious, but lately I keep getting emails that I have not signed up for, and have hit the unsubscribe button in several of them to remove me from the subscription list. It opens Firefox by default, and takes me to a page to unsubscribe. Perhaps that had something to do with it?
01-08-2024 05:40 AM
Based on the advice from windowsreport.com I Ran a SFC & DISM scan.
It's been 2 hours and the defender virus "false" report hasn't reappeared.
Warning. this scan takes hours to complete.
01-08-2024 10:41 AM
Sorry to tell you, but this is just the default answer of these stupid "Microsoft employees" / volunteers that should actually have been replaced by more capable bots long ago 😕
I doubt it ever even helped a single person, would be highly surprised if the issue doesn't come back for you.
01-09-2024 05:17 AM
Defender hasn't notified me of any viruses since I ran sfc /scannow .
The bad news is I still can't complete a Windows back up. I get about 2/3rds of the way through and the back up stops because Windows found a virus.
Just like everyone else, no amount of virus scans show any problems at all.
01-08-2024 10:49 AM
Something out of whack with your computer. When I run either SFC Scannow or DISM it takes minutes. SFC scans in seconds, a little longer if it finds errors.
01-09-2024 05:13 AM
I had to turn off sleep mode. After that it finished the last 25 percent in less than an hour.
01-08-2024 12:42 PM
Ich habe die Schattenkopien gelöscht und die Dienste für Shadow-Services deaktiviert mit Msconfig und neu gebootet. Danach lief der Defender als Full-scan ohne Fehlermeldung mit Phish!pz erstmalig durch. Leider kann ich ohne Shadow keine Sicherung fahren. In dem Moment, wo ich die Shadow-Dienste wieder aktivier und die Sicherung fahre, fährt die Sicherung zum Schluss mit Virenwarnung vor die Wand.
01-09-2024 02:21 PM
Not sure this behaviour has been cited in previous posts but I ran a backup with the FF profile cache excluded and MSE went from finding the Trojan in the soft backup directory, to the unhidden cache2 directory. A virus scan just before backup did not report a virus. I had MSE remove the file and back up ran ok.
Like others have reported, if the FF cache is cleared then back up runs ok, but logging back into every site I want to have ready access to is a complete pain. I can’t recall if keeping cookies but deleting the rest of the cache (via FF settings) causes the Trojan to flag on back up. I haven’t been diligently noting the outcomes of all the things I’ve tried.
It is clear that there is a direct correlation between the Trojan flagging in MSE and the running of the backup.
I have just set up Super anti spyware and MSE to be able to do a custom scan on just the “infected” directory. Next time I’m bothered to run a backup, or after the automated weekly backup and the Trojan is detected again, I’ll run scans on just the directory to see what comes up.
In the meantime, in the time between backups after MSE deletes the flagged file, every scan using SASW, MSE and Malware bytes, runs clean. I don’t visit compromised sites or open suspicious emails… and I’m only using certified FF extensions.
This seems more and more likely to be a false positive.
01-09-2024 03:42 PM
Keeping cookies is OK. I am repeating others here:
Firefox: 'Tools - Settings - Privacy & Security - History - Clear History when closing down'. The settings on the right of that can be opened. In there select 'cache' only.
If you use Thunderbird too: 'Settings - General page - Disk space - Clear cache when closing down'.
Before you run you Windows Backup, close down Firefox and Thunderbird. So turn your BU schedule off, and try to remember to start it manually once in a while.
Another way is to go into the BU settings, and exclude every cache2 folder (in every separate folder in \Users\[user]\AppData\Local\Mozilla\Firefox\Profiles\ ), and do that for Thunderbird too. I excluded 6 cache2 folders that way.