Closed Bug 1872395 Opened 5 months ago Closed 4 months ago

HTML/Phish!pz threat appears in Firefox cache after update to 121.0

Categories

(Core :: Networking: Cache, defect, P2)

Product:
Core
Component:
Networking: Cache
Version:
Firefox 121
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mail, Unassigned)

References

Details

(Whiteboard: [necko-triaged][necko-monitor])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0

Steps to reproduce:

I updated to 121.0 and surfed the web (google.com and imazing.com) and I downloaded software from that source: https://imazing.com/

Actual results:

Shortly after the download, multiple items quarantied by Microsoft Defender.

It is reporting Trojan: HTML/Phish!pz is detected in Firefox cache. Especially in the shadowcopy of windows backups.

Other examples are listed here: https://connect.mozilla.org/t5/discussions/microsoft-defender-reporting-trojan-html-phish-pz-threat-with/m-p/48165#M17202

Expected results:

Nothing, no thread should have been detected!

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core

Hi Kershaw and Janv,
Are you the best people/team to take a quick look at this cache related issue? It looks a regression from Fx 121. Thank you.

Flags: needinfo?(kershaw)
Flags: needinfo?(jvarga)

Is it possible to specify which folder/directory is affected ?
There are different kinds of caches.

Flags: needinfo?(jvarga)

Hey there, it is Cache2. Mostly affected are the shadowcopy folders from windows.

See the following thread for some examples by affected users: https://connect.mozilla.org/t5/discussions/microsoft-defender-reporting-trojan-html-phish-pz-threat-with/m-p/48165#M17202

Ok, so this is related to the networking cache.
Kershaw, please triage it accordingly.

Component: DOM: Core & HTML → Networking: Cache

Hi Reporter,

This sounds like a recent regression.
If so, could you use mozregression to help us find out the regression range?

Thanks.

Flags: needinfo?(kershaw) → needinfo?(mail)

this also affects thunderbird users and causes windows backup to fail

to narrow it down, my last successfull backup was on 21.12.2023 around 1800 CET, next would have been on the 28th.

clearing the cache and shutting down thunderbird resolves this, nevertheless it's a false positive and many day to day users will get virus warnings ^.-

file: \Device\HarddiskVolumeShadowCopy64\Users\<user>\AppData\Local\Thunderbird\Profiles\aixbppca.default\cache2\entries\8910A51BFC0EF71F5ADB74CCC317F71EA3E604CE

file: \Device\HarddiskVolumeShadowCopy56\Users\<user>\AppData\Local\Thunderbird\Profiles\aixbppca.default\cache2\entries\613633A8B0BE6A05249403C8AE1454C9AE3FEFCE

file: \Device\HarddiskVolumeShadowCopy56\Users\<user>\AppData\Local\Thunderbird\Profiles\aixbppca.default\cache2\entries\613633A8B0BE6A05249403C8AE1454C9AE3FEFCE

... and so on

Comments from the thread indicate this started with a MS Defender rules update on 12/26:
Wanted to point out my issue started after the MSE def. updates on 12/26/2023. FireFox had already been updated on 12/19/2023 to 115.6esr for Win7.
We can't control Defender updates; at best we could try to sidestep it, but that's a losing game and would likely hurt legitimate scans by Defender.

The best route is to get Microsoft to look at this (likely they are already if it's generating false positives at a high rate).

I do not think this is caused by the Firefox 121.0 update. I am experiencing the same problem with both Waterfox G6.0.7 (not sure what version of Firefox code it is based on) and Waterfox Classic 2022.11 (definitely much older code base than Firefox 121.0).

Like some others, I started experiencing the problem around 26th Dec 2023:

  1. I'm running Windows 10. Backup with "Backup and Restore (Windows 7)" fails because of Trojan found

  2. Windows Defender shows "Remediation incomplete" with item under \Device\HarddiskVolumeShadowCopyXX...\cache2...

  3. If I scan the same file under my Waterfox profile cache2 directory (not the Shadow Copy) no Trojan is found. Even scanning the whole Waterfox profile directory finds no problem.

  4. However, if I restart the backup, the same file in (2) is again flagged under HarddiskVolumeShadowCopyXX as a Trojan, and backup fails again.

  5. If I clear the cache and rerun backup no Trojan is found and backup succeeds.

  6. I use the browsers normally during the day.

  7. Problem repeats itself the next day when backup is scheduled to run again. The problematic file's content is different each day as far as I can tell.

(In reply to Kershaw Chang [:kershaw] from comment #6)

Hi Reporter,

This sounds like a recent regression.
If so, could you use mozregression to help us find out the regression range?

Thanks.

Hey Kershaw Chang,

I tried but was not able to do a proper regression analysis, it seems that the problem persists, even with older releases.

Similiar thoughts are made here by KHikari and in the mozilla connect thread. It becomes more and more clear, that the problem lies within Windows Defender scan engine.

Is there any way to force an investigation of the behavior on the Microsoft side from the Mozilla development side? This could have broader implications as Mozilla products seem to be mainly affected by this flawed Microsoft Defender behavior.

The Mozilla Connect thread now has over 21k visits and 217 comments. So it seems to be a bigger problem, even if the percentage of total Mozilla product customers is of course still relatively small.

Flags: needinfo?(mail)

Maybe some more context to the correlation with Defender Updates from the mozilla connect thread:

[...] this issue started on my system: Win7-64 FF 115.6esr on 12/26/2023 with the MSE
security intelligence update version 1.403.1150.0

Prior to that Security Intelligence Update for Microsoft Security Essentials - KB2310138 (Version 1.403.1057.0) - Current Channel (Broad) had been installed 0n 12/24/2023 and did not cause the issue when running system backups at 7:00pm EST. Hopefully, that will help MSFT track down the issue.

O got this defenderproblem around Christmas on two Win10 prof 64bit PCs with Win7-backup procedure. Got it with FF and also Seamonkey last releases. Defender does NOT post errors on both original /cache2/* directories at all with custom check. It only happens during backup inhibiting writing (stopping backup) to the backup-disk (shadow). Also previously clearing cache yia tools-menue or restarts do NOT help, I had to delete /cache2/ directory completely (after stopping FF and SM). Then backup runs ok and FF and SM are restarting without any problem.

I did a lot before, including uninstall and install FF+SM. Only deleting /cache2/ before backup or in case of error before restart backup was successful. I have no addins and getting this /cache2/ problem exclusively only during win-7-backup-proc. System got clean defender-checks including offline-scan. I'm not searching any more, just cleanup before weekly backup. I'm not very sure, but problem may came up after some MS-december-patches at/after 13. December. I did FF and SM updates around same period, so ... sorry. The first defenderfight was at Christmas - automatic weekly backup on Thinkpad during vacation.

It is a bit disturbing, but I have no other bugs, just that weekly backup defender-fighting ........... Deleting /cache2/ does not produces any problem, as fare I have seen up to now.

A few other places this issue has been reported.

https://superuser.com/questions/1823318/how-to-fix-investigate-windows-defender-detecting-malware-in-the-vss-snapshots-f
https://www.reddit.com/r/browsers/comments/18lxg3w/firefox_cache_phishpz/
https://answers.microsoft.com/en-us/windows/forum/all/antivirus-similar-to-april-23-2023-concerning/ff812d4c-c0e9-48b8-b3cd-7750adda842c

It seems like a false positive - we'll reach out to microsoft to let them know and ask for advice regarding ways to mitigate the problem.

The link for this issue doesn't say much about what the threat is: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PWS:HTML/Phish.PZ&threatId=-2147255708

Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-new]

Windows 11 pro insider 10.0.2361612 build 23612
Control Panel Windows7 Backup failed, throwing error code would not : 
removed ff Nightly 123.0a1 (2024-01-07) (64-bit)
windows7 Backup Control Panel ran successfully (removed ff with Revo Uninstaller version 2.4.5.0, vCenter Converter version 6.4.0 build 21710069 and Belarc-Advisor version 12.1 are also installed, there are no other non-windows apps)

Whiteboard: [necko-triaged][necko-priority-new] → [necko-triaged][necko-monitor]
Duplicate of this bug: 1873669

phish!pz was added to the "Updated threat detentions" December 14 2023, MS https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.403.485.0, and now the issue seems resolved by MS?

MS Change logs for security intelligence update makes not mention the removal of phish!pz but I have completed a second successful backup using recoveryDrive.exe, and one with B&R on both win10 and win11.

ProtonBridge and Thunderbird were on all test backups that completed successfully prior to last night.
Sunday morning I installed mozilla-MSIX-1.0 122.0 from the MS app store or FF 122.0, and Nightly 124.0a1 (Bitwarden extension was installed, and some random browsing) and B&R completed successfully.

Thanks for confirming, Bob!
I think we'll wait for one more user to confirm it works before closing this bug.

We had detections on 2-3 computers of ours that have Firefox. All detections were in the Firefox cache folder. I managed to find of the files in the detection history and scanned it directly with Windows Security/Defender and even VirusTotal. All returned with 0 threats detected. So, I'd say these were false positives, fixed by latest threat definition updates.

Thanks for the confirmation. Glad to hear it works now.

Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.