"firefox.VisualElementsManifest.xml" (Generik.HBKPFTF trojan)

[cmit 2]

Is this Mozilla, Microsoft, or ESET's issue?
Just happened today multiple (number still increasing) of our domain computers' ESET Endoint AntiVirus caught this "firefox.VisualElementsManifest.xml" as "a variant of Generik.HBKPFTF trojan".
This event also happened on a new firefox.exe just downloaded from the official Firefox.com website for installation onto a new computer.

 

[itman 1,659]

Submit the Firefox directory based .xml file for a scan at VirusTotal. If no one except Eset detects, it is probably a FP.

Note that the fact the file is showing up in your User\AppData\Local\Temp directory is not a "good sign."

Edited May 7, 2019 by itman

[cyberhash 188]

I guess this is more related to the issue that mozilla had 2 days ago , where a bug caused all extensions to be disabled. Then a workaround was issued and since then ESET has cleaned and deletged all my firefox profile and cleaned 3 files on my PC too.

Now firefox isnt even installed in c:\program files or even c:\program files (x86). but in a "Appdata"

Id say its a mozilla issue but it really needs investigating, im going to submit a bug report and file.

[itman 1,659]

Poster on wilderssecurity.com related the following:

Quote

Updated to beta 18 through the updater. ESET responded to the update with the following:
Time;Scanner;Object type;Object; Detection;Action;User;Information;Hash;First seen here
5/7/2019 4:05:15 PM;Real-time file system protection;file;C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml;a variant of Generik.HBKPFTF trojan;cleaned by deleting;NT AUTHORITY\SYSTEM;Event occurred during an attempt to access the file by the application: C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe (F55D6EF69762FA96B7DE42A1B4E6EC8A3AA01A7E).;7AFA2C9069FA2C3DC5306A64F44E401D83A51189;5/7/2019 8:04:53 AM

Since this is a generic detection, hopefully its a FP. Otherwise, "the Firefox world" has "big problems."

I would also submit the file to Eset as a possible FP.

[JamesR 52]

Hello, please update the detection engine in ESET and the detection method should now be corrected, and the .xml no longer detected.

[cmit 2]

4 minutes ago, JamesR said:

Hello, please update the detection engine in ESET and the detection method should now be corrected, and the .xml no longer detected.

1. So this is ESET's fault?
2. What's the root cause of this FP?
3. What's the updated detection engine version #?
4. What is this VisualElementsManifest.xml for? I see Chrome and Windows tile also has this .xml file.
5. What should be done with those already "affected" computers? restore from quarantine?
6. so this "cleaned by deleting" really means "moved" to quarantine?

[cyberhash 188]

@cmit and @itman

I'd say the firefox world has big problems, never seen any update for any software that has actually changed the installation folder without any user interaction 🙃, plus the delivery was via an in product update.

I also see that after the 66.0.4 update , there is another (in product update) tonight to 66.0.5 ............ lets see what this breaks 🤒

 

 

[cmit 2]

1 minute ago, cyberhash said:

@cmit and @itman

I'd say the firefox world has big problems, never seen any update for any software that has actually changed the installation folder without any user interaction 🙃, plus the delivery was via an in product update.

I also see that after the 66.0.4 update , there is another (in product update) tonight to 66.0.5 ............ lets see what this breaks 🤒

 

 

my concern and question is is this Mozilla's issue or ESET's issue?
Even thought ESET "fixed it" (not sure if temporarily) by updating the detection engine but WHY did the ESET treat this .xml file as a trojan?
Could any experts from ESET please explain in details?
If this is the "big problems" of the firefox world, need to let Mozilla know.

[itman 1,659]

1 hour ago, cmit said:

my concern and question is is this Mozilla's issue or ESET's issue?

Appears to be an Eset issue.

1 hour ago, cmit said:

Even thought ESET "fixed it" (not sure if temporarily) by updating the detection engine but WHY did the ESET treat this .xml file as a trojan?

It was a false positive detection. They happen with all security software. Thankfully and historically, they are a rare occurrence with Eset software. 

[peteyt 393]

10 hours ago, itman said:

Appears to be an Eset issue.

It was a false positive detection. They happen with all security software. Thankfully and historically, they are a rare occurrence with Eset software. 

And not to mention eset was quick to rectify it. 

Admittingly when I saw this post I wondered if it was another program that had been hacked and used to try and infect its users e.g. via updates etc., something i feel is going to be a common occurrence in the next few years 

[itman 1,659]

Considering the "chaotic" situation the Firefox browser is presently in; e.g. letting its root certificates expire, multiple rapid fire updates to fix it, etc., this FP by Eset is perfectly understandable.