Mozilla Connect

Issue_Report · ‎12-16-2023

Multiple items quarentined by Microsoft Defender. It is reporting Trajon:HTML/Phish!pz is detected in Firefox cache. Some examples being:
C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\077D332D18D04002F4E4F2029C7BBDBD6075BBD8

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\087BCF7C6435165AD81CEA178C340D8C71CA965E

C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0DB91AB2260ACFD2290F3A56BDB862D6F2359779

C:\Users\UserName\Local\Mozilla\Firefox\Profiles\gd1w3gjx.default-release\cache2\entries\0E79D7DDB0575B34F6E2A2DC0D77F7B91117DABB

mikeb5027 · ‎01-11-2024

How do you get to the BU settings to exclude the cache2 folders in Windows 10?

I have got Backup and Restore (Windows 7) working by setting Firefox and Thunderbird to delete their caches when closed down, but I would rather just exclude the cache2 directories from the backup, if that is possible on win10.

erikdenhouter · ‎01-11-2024

The main Window for WBU - Schedule - Change settings - Select the target disk - Click next, and in the next windows select the lower radio button for 'Determine yourself' and click 'next'.

(Exact translation may vary....)

mikeb5027 · ‎01-11-2024

Thank you @erikdenhouter, that's really helpful.

I didn't look properly!

lucasbild · ‎01-17-2024

also observed on my PC: ...\AppData\Local\Mozilla\Firefox\Profiles\fkx70g5b.default-esr-2\cache2\entries\00B130FD507B21FB0847F88D12DC9F867174015C

after cleaning the cache the alert is gone, but with every start of firefox it re-appears.

Did anybody observe an impact on their systems?

Could Mozilla clean this profile ?

RobW · ‎01-17-2024

It might help you if you read some of the posts on this site if you really want any help. The answer is there via 2 methods.

Dale123 · ‎01-27-2024

Is there any news on this behaviour being fixed by Mozilla?

I have cleared the false positive "virus" following various instructions above (a lengthy struggle for a naive end user) but it's unclear to me whether I can restart backups.

To run a backup, do I need to

exclude Firefox profle from the backup (didn't seem enough previously),

close Firefox every time,

delete cache 2 every time,

do both these every time,

or something else?

mungo · ‎01-27-2024

I've tried everything but the same virus warning comes back eventually. This is especially odd to me since I have deleted the entire cache2 folder that Windows defender tells me has the virus in it.

Maybe it's in a shadow copy but Windows defender shows the location as being on my C drive inside the Mozilla program folder.

erikdenhouter · ‎01-27-2024

"This is especially odd to me since I have deleted the entire cache2 folder that Windows defender tells me has the virus in it..."

These cache2 folders change in real time. Deleting is not an option.

mungo · ‎01-27-2024

I'm sure you are correct. However I completely deleted the cache 2 folder and 2 days later, Windows defender reported this virus in that same folder. But when I go to the exact location Windows says the virus is located in ( app data...cache2 folder etc) , the cache2 folder is still deleted.

However it's been two days and I haven't had any flags from defender . fingers crossed.

erikdenhouter · ‎01-27-2024

Maybe the cache2 folder IN your backup still has the same content, so when you delete a real time chache2 folder the old one is never overwritten and is still scanned with a problem in the backup ?

Just assuming, since my methode let me make backups without error.

RobW · ‎01-27-2024

Understand this - backups do NOT copy (backup) previous backups. The new backup would not be clean if it did this.

As per everything we have discussed, over and over starting back in mid December, there are 2 ways to work around this Mozilla/Defender false positive.

1. Set Firefox to clear cache when it closes. However, if you always leave your browser open on your. taskbar this will not work. It is recommended by Mozilla that you close your browser when not in use. So, to enable this method, in FF go to Tools/Settings/Privacy & Security - scroll down to History and click on Clear history when Firefox closes. The box to the right is Settings which now becomes available. Click on that and you will see 7 options. Click on Cache. You are done and backup will run as long as FF is closed when Backup runs. Backup may fail on the first instance after doing this because Recovery in Control Panel still contains Restore Points (shadow copies) that has cache2 in it/them. You can delete the restore points if you wish and backup will cause System to set a new Restore point before it runs.

Cache2 in FF regenerates with new entries every time you use the browser. This is why simply deleting the contents of cache2 in your FF Profile will not provide a workaround. You must tell FF to empty this file when it closes as mentioned above.

2. You can exclude cache from your FF backup profile selections. By doing this you do not need to tell FF to clear cache when it closes. This is more work than #1 so I go with #1 because I always close FF (and Thunderbird) when I am done with them.

My backup schedule is nightly and it has been running perfectly since jackb posted these instructions back on Dec 27th.

erikdenhouter · ‎01-27-2024

Just preferences, my Firefox is always open, also at times that my scheduled BU starts. So I use the second flavour to choose from, I excluded the cache2 folders once, and do not have to worry to much after.

Dale123 · ‎01-28-2024

I deleted all backups as part of the cleanup, so I think that is covered.

I have actually only done one backup since the cleanup. I went belt-and- braces for this (earlier efforts did not seem to work, perhaps because of errors by me):
(a) excluded all cache2 from backup

(b) closed Firefox

(c) deleted all existing cache2.

The information that yours now works OK with just (a) done is helpful. I will try that.

erikdenhouter · ‎01-27-2024

No, to much.

In your Windows Backup settings exclude every \cache2\ folder in username\appdata\...\profile folder of the mozilla products (FF & TB), and you'll be fine for now.

How to exclude folders from WBU:

The main Window for WBU - Schedule - Change settings - Select the target disk - Click next, and in the next windows select the lower radio button for 'Determine yourself' and click 'next'.

(Exact translation may vary....)

Where are cache2 folders for Firefox:

C:\Users\[username]\AppData\Local\Mozilla\Firefox\Profiles\

Where are cache2 folders for Thunderbird (if you use TB):

C:\Users\[username]\AppData\Local\Thunderbird\Profiles\

In these folders there are different profile folders. And in these profile folders there are cache2 folders. Exclude them all from WBU. On my system there are 7 that I excluded. Not all are necessary, but I excluded them anyway to be sure.

Windows Backup now runs without error, but I have not tried if such backup will restore 100% (think about restore points), results may vary.

bosurus · ‎01-30-2024

Definitely a problem of Windows Defender.

11 day ago I emptied the reported cache2/entries folder on a Windows 10 system, which is running 24/7 for some minor monitoring tasks. The W7-backup of C:\users was running then without problems.

Until yesterday: now Defender reports an entry in the profile of another user, which definitely was not logged in since a year. The reported file in cache2\entries is almost three years old. No one has used Firefox in the meantime. A manual scan with Windows Defender does not find threats in this Firefox profile.

This threat alarm is totally misleading and destructive.

fabianschmied · ‎01-30-2024

I created a ticket with Microsoft Support today and was told that Microsoft was apparently already working on a patch to be released via Windows Update. I'm not sure how reliable that information is, but it's something at least 🙂 .

erikdenhouter · ‎02-03-2024

Problem solved ? According to Mozilla:

https://bugzilla.mozilla.org/show_bug.cgi?id=1872395&_gl=1*uoqrx5*_ga*MTQ3OTU0NDc2Ni4xNjg5MjQ2Mzk3*_....

since few days changes have been made for the better, Defenders virus definition files seem to have been updated.

I just made a Windows Backup with the usual standard settings, and there was NO phish!pz alarm, backup completed without error.

MrGreg · ‎02-03-2024

I can confirm this.

FF and TB running all day. Saw the note from erikdenhouter. Ran backup w/o shutting them down first. No stupid Incomplete Remediation alert.

Thanks to all of you who helped fix this.

greg

jscher2000 · ‎05-08-2024

@CeasarAbernath wrote:
Once we've identified how to address this in case it's a false alarm, the next step is to establish whether the file is genuinely malicious and pinpoint its source. Given that the problem appears to be replicable (clear cache, open Firefox, browse for about 5 minutes, and a backup fails), has anyone tested if removing uBlock Origin stops the backup from failing during this sequence? While it seems unlikely that uBlock Origin is the cause, several people have mentioned it.

What kind of backup is failing? If you mean a regular disk backup, try excluding the cache2 folder from your backup in its folder selection options (if it has those). Cached files are just for temporary reference and get cycled out as you browse. By the time you get around to using the backup, the cache is likely to be months out of date.

Mozilla Connect

Microsoft Defender reporting Trojan:HTML/Phish!pz threat with Firefox