Hope so.  It's just kind of hard to get an authoritative version of things on the net.  I guess it would be in Msfts court to acknowledge the false positive (and fix their signature detection).

This is why we all need to submit our feedback through Windows Defender. Someone on this thread has done it already. We all should do so as well. Hopefully, MS will hear us..  

The reason why people see it as a false positive is because at every try to make a backup, it fails on the same threat: Trojan:HTML/Phish!pzBut, but every try also the filename changes (and sometimes even the path to the cache2 folder). And all these different files that are getting flagged are from different origin, we have opened a few.

Also, we copied some of these flagged files out from the backup, and scanned them with Defender. I even uploaded them to virustotal. Nowhere a virus to be found.

About the latest restore points, you could have a valid point here.... Looking at it after your comment, my latest restore point now is from Dec 22th, and that is strangely short time.... I have some older, but these are located in full system backups.

Are you suggesting that with excluded files from the backup Windows will not allow more restore points than the latest ? It is indeed a problem to restore a system if only partly folders are 'original'.

And if you copies those flagged files out of a shadow copy and scan them again, at that point Windows Defender find nothing at all in the same files, which it had flagged as infected previously.

After you excluded the cache2 folders from BU, did you take a look at your restore points, and noticed only the latest are there as lurker212 suggested ? (See my prior comment)

I got this problem exclusively only during backup with Win7-proc. Any defendercheck to the original cache is running ok. Meanwhile I'm deleting the cache2 directory manually (FF and SM both the same at win7-backup under Win10) after closing FF and SM, repeat my backup, restart FF and SM and that's it.

Obviously the backup compresses the cache and defender inhibits the write to the backup-disk (shadow). So f....... them both, stop FF and SM, delete all cache2, restart backup, restart FF and SM.

(Before I did checking down to hell everything, uninstall and reinstall FF and SM, looked in cache2 and ...... I'm sad for more checking, no mor problem . just killing cache2 and restart backp + browsers).

Peter

PS I'm doing this on two PCs since Christmas. I think, Mozilla has no chance to avoid it, because defender is inhibiting the backup-file - NOT the original cache2-file. I tested this multiple times before using the above procedure.

Forgot: no addin's in both and FF and SM at newest level. You have to delete /cache2/* completely by hand, best idea in every profile cache2 exists, the tools-bar clear cache will not help (FF and SM).

Thanks, to keep an peeking eye on for now.

As I have said a number of times, it's Mozilla who is responsible for determining where the problem lies, affecting their software.  NOT Microsoft.

and you were wrong every time. Its not Mozilla's fault Microsoft's software is detecting this string as something it isn't. Its not a big deal, virus checkers get false positives wrong regularly, and they get fixed after being reported. Note that only Defender is reporting this, other virus checkers are not flagging it.

I am not wrong.  FF made some recent changes and this caused Defender to define ??something?? as being a trojan when it isn't.  Mozilla needs to determine what that is and correct it.  Possibly the problem could reside with Defender but it's still up to Mozilla to determine that and if necessary, approach Microsoft.

I have been watching this thread all the way through. The same thing has happened to me. It started 12/30. I don't believe it is a Mozilla problem, because I'm one of those people that doesn't do the updates when they are supposed to. I am running a pretty old version of Mozilla Firefox and Thunderbird, but in trying to do the Windows 7 backup, it flagged a file in my cache2 folder of a shadow copy. Running all the suggested Microsoft scans and the one that scans offline, nothing was found. Super anti-spyware did not find it either. What worked, was finding all the cache2 folders, doing a 'select all', and deleting all their contents. I would note that before I do a backup, I do a super anti-spyware scan with all programs closed. Then I do a Windows 7 backup. Never had a problem before. The backup I did after following these new steps worked. I am in the middle of doing a backup now. Will post more if it fails.

My way to deal with the cache2 folders was to download the Everything app and find them. Then I pinned them to my quick start menu. Now it's very simple to open each of them and delete the contents before I do my backup.

Logically, it makes sense to me that it is a Windows defender problem, because, like I said, I am running old versions of Firefox and Thunderbird that have not been updated in a long time.

What version of FF and TBird are you using?

Hello Greenthumb,

The version of Firefox or Thunderbird is pretty much immaterial. The problem is that Defender is now calling out cache2 files as bad. Backup & Restore (Windows 7) will fail as long as cache2 exists. The easy way to get rid of cache to is to set Firefox, and Thunderbird if needed, to delete the cache when Firefox, or Thunderbird) closes, (https://support.mozilla.org/en-US/kb/how-clear-firefox-cache) for every user on the PC.

Correct, Defender is reporting the virus, in my case on 2 Win10 PC's and 2 Win11 PC's,but not deleting or quarantining it.  I loaded BitDefender on one PC and Norton365 on another PC.  Ran full scans on both PC's and they didn't find anything, but my backups ran fine.  But as soon as I uninstalled BitDefender and Norton365 Windows Defender stared finding the virus again and my backups failed.

So I don't really know whether this is a false positive, as many here are claiming, or not.  But if it is, then the fault lies with Microsoft, not Mozilla.  Mozilla should not be held accountable for mistakes that other companies make which affect its products, though it is reasonable to think that they would be active in clarifying the errors of others.

I have to disagree with you on this point, RobW. Let me give you an example. I use LibreOffice on all of my Linux boxes and even some of my Windows machines. A couple years ago Immunet and Trend Micro started reporting malware in LibreOffice. Trend wouldn't even allow the download of the installation files and Immunet said the install had bugs in a bunch of files. Trend eventually discovered it was an errant URL block, and Immunet decided it was a false positive.

None of the other malware scanning products detected a problem with LibreOffice. Using your logic, wouldn't we be saying the problem was LibreOffice's to solve, not Immunet's or Trend Micro's?

Tom, I do not have an account to add this to the bug report.  If you could please let them know this issue started on my system: Win7-64 FF 115.6esr on 12/26/2023 with the MSE

security intelligence update version 1.403.1150.0

Prior to that  Security Intelligence Update for Microsoft Security Essentials - KB2310138 (Version 1.403.1057.0) - Current Channel (Broad) had been installed 0n 12/24/2023 and did not cause the issue when running system backups at 7:00pm EST.  Hopefully, that will help MSFT track down the issue.

Hey BarnStormer, sure, I added this context to the bug comments!
It seems that the issue should be tackeld by Microsoft and not Mozilla. I was not able to do a proper regression analysis, since the detection also persists with older versions of Firefox/Thunderbird. Thats tracking it down to a issue with defender. But as someone wrote here before, maybe Mozilla developers have greater leverage over Microsoft development than users have.

Hello Swolfearch,

The first problem, Trojan:HTML/Phish!pz, is a problem with Defender flagging bad various files in either the Firefox or Thunderbird cache2 directories. Mozilla support is looking at it under https://bugzilla.mozilla.org/show_bug.cgi?id=1872395. It is easily bypassed in the meantime by setting Firefox and Thunderbird to clear the cache when closing the program and then making sure that both are closed when backup is running. You might have to delete the shadow copy also.

The second problem looks to have already been resolved by Defender.

Thank you jackb.  After making the changes you suggested to FF on the 27th and TBird which I later discovered, I found I did not need to deal with restore point shadow copies.   It 'appears' that restore points are set by System after backup is run so when it runs successfully you will not have any Defender notations that a trojan was discovered in a shadow copy.

Go to the indicated folder itself and delete the cache file. Or you can simply delete all the cache files in that folder.  When FF starts up again it will recreate the files as required.   Sometimes Defender does not delete that cache file.

I set FF to delete all the cache files when closing. If you are using Thunderbird and have this issue you must also do the same for its cache.

After deleting the file, also empty the recycle bin. Defender also scans the recycle bin.

I started to see this issue shortly after the last update of FF.

Recycle bin doesn't seem to matter.   Manually clearing FF cache and restore points (shadow copies) if needed does not result in entries appearing in recycle bin.

I first tried deleting the specific cache files identified by Defender. That didn't work; new files were identified every day. I cleared the cache and changed the settings so the cache is cleared automatically when I leave Firefox, then deleted all files in the ...cache2\entries\ folder. I did not delete the recycle bin. Before restarting Firefox, I was able to complete a backup. Since I started Firefox this morning, and have received no warnings. I'll report back in a day or so. I did see that I have restore points only since I started tweaking, but I have never used one, so I'm not sure if that was a great loss. Thanks to Jerryg50, Jackb, lurker212, and all who contributed to this thread.

I don't use Ublock or Glary. But I do have an Adblock Plus extension in Firefox. I'm very careful where I go, but I do a lot of shopping on Amazon.

I don't respond to emails that are suspicious, but lately I keep getting emails that I have not signed up for, and have hit the unsubscribe button in several of them to remove me from the subscription list. It opens Firefox by default, and takes me to a page to unsubscribe. Perhaps that had something to do with it?

Sorry to tell you, but this is just the default answer of these stupid "Microsoft employees" / volunteers that should actually have been replaced by more capable bots long ago 😕

I doubt it ever even helped a single person, would be highly surprised if the issue doesn't come back for you.

  Defender hasn't notified me of any viruses since I ran sfc /scannow .

 The bad news is  I still can't complete a Windows back up.  I get about 2/3rds of the way  through and  the back up stops because  Windows found a virus.

  Just like everyone else, no amount of virus scans show any problems at all.

Something out of whack with your computer.  When I run either SFC Scannow or DISM it takes minutes.  SFC scans in seconds, a little longer if it finds errors.

 I had to turn off  sleep mode. After that it finished the last  25 percent in less than an hour.

Keeping cookies is OK. I am repeating others here:

Firefox: 'Tools - Settings - Privacy & Security - History - Clear History when closing down'. The settings on the right of that can be opened. In there select 'cache' only.

If you use Thunderbird too: 'Settings - General page - Disk space - Clear cache when closing down'.

Before you run you Windows Backup, close down Firefox and Thunderbird. So turn your BU schedule off, and try to remember to start it manually once in a while.

Another way is to go into the BU settings, and exclude every cache2 folder (in every separate folder in \Users\[user]\AppData\Local\Mozilla\Firefox\Profiles\ ), and do that for Thunderbird too. I excluded 6 cache2 folders that way.