cmit 2 Posted May 7, 2019 Share Posted May 7, 2019 Is this Mozilla, Microsoft, or ESET's issue? Just happened today multiple (number still increasing) of our domain computers' ESET Endoint AntiVirus caught this "firefox.VisualElementsManifest.xml" as "a variant of Generik.HBKPFTF trojan". This event also happened on a new firefox.exe just downloaded from the official Firefox.com website for installation onto a new computer. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 7, 2019 Share Posted May 7, 2019 (edited) Submit the Firefox directory based .xml file for a scan at VirusTotal. If no one except Eset detects, it is probably a FP. Note that the fact the file is showing up in your User\AppData\Local\Temp directory is not a "good sign." Edited May 7, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 195 Posted May 7, 2019 Most Valued Members Share Posted May 7, 2019 I guess this is more related to the issue that mozilla had 2 days ago , where a bug caused all extensions to be disabled. Then a workaround was issued and since then ESET has cleaned and deletged all my firefox profile and cleaned 3 files on my PC too. Now firefox isnt even installed in c:\program files or even c:\program files (x86). but in a "Appdata" Id say its a mozilla issue but it really needs investigating, im going to submit a bug report and file. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 7, 2019 Share Posted May 7, 2019 Poster on wilderssecurity.com related the following: Quote Updated to beta 18 through the updater. ESET responded to the update with the following: Time;Scanner;Object type;Object; Detection;Action;User;Information;Hash;First seen here 5/7/2019 4:05:15 PM;Real-time file system protection;file;C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml;a variant of Generik.HBKPFTF trojan;cleaned by deleting;NT AUTHORITY\SYSTEM;Event occurred during an attempt to access the file by the application: C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe (F55D6EF69762FA96B7DE42A1B4E6EC8A3AA01A7E).;7AFA2C9069FA2C3DC5306A64F44E401D83A51189;5/7/2019 8:04:53 AM Since this is a generic detection, hopefully its a FP. Otherwise, "the Firefox world" has "big problems." I would also submit the file to Eset as a possible FP. Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted May 7, 2019 ESET Staff Share Posted May 7, 2019 Hello, please update the detection engine in ESET and the detection method should now be corrected, and the .xml no longer detected. Link to comment Share on other sites More sharing options...
cmit 2 Posted May 7, 2019 Author Share Posted May 7, 2019 4 minutes ago, JamesR said: Hello, please update the detection engine in ESET and the detection method should now be corrected, and the .xml no longer detected. So this is ESET's fault? What's the root cause of this FP? What's the updated detection engine version #? What is this VisualElementsManifest.xml for? I see Chrome and Windows tile also has this .xml file. What should be done with those already "affected" computers? restore from quarantine? so this "cleaned by deleting" really means "moved" to quarantine? Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 195 Posted May 7, 2019 Most Valued Members Share Posted May 7, 2019 @cmit and @itman I'd say the firefox world has big problems, never seen any update for any software that has actually changed the installation folder without any user interaction 🙃, plus the delivery was via an in product update. I also see that after the 66.0.4 update , there is another (in product update) tonight to 66.0.5 ............ lets see what this breaks 🤒 Link to comment Share on other sites More sharing options...
cmit 2 Posted May 7, 2019 Author Share Posted May 7, 2019 1 minute ago, cyberhash said: @cmit and @itman I'd say the firefox world has big problems, never seen any update for any software that has actually changed the installation folder without any user interaction 🙃, plus the delivery was via an in product update. I also see that after the 66.0.4 update , there is another (in product update) tonight to 66.0.5 ............ lets see what this breaks 🤒 my concern and question is is this Mozilla's issue or ESET's issue? Even thought ESET "fixed it" (not sure if temporarily) by updating the detection engine but WHY did the ESET treat this .xml file as a trojan? Could any experts from ESET please explain in details? If this is the "big problems" of the firefox world, need to let Mozilla know. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 7, 2019 Share Posted May 7, 2019 1 hour ago, cmit said: my concern and question is is this Mozilla's issue or ESET's issue? Appears to be an Eset issue. 1 hour ago, cmit said: Even thought ESET "fixed it" (not sure if temporarily) by updating the detection engine but WHY did the ESET treat this .xml file as a trojan? It was a false positive detection. They happen with all security software. Thankfully and historically, they are a rare occurrence with Eset software. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted May 8, 2019 Most Valued Members Share Posted May 8, 2019 10 hours ago, itman said: Appears to be an Eset issue. It was a false positive detection. They happen with all security software. Thankfully and historically, they are a rare occurrence with Eset software. And not to mention eset was quick to rectify it. Admittingly when I saw this post I wondered if it was another program that had been hacked and used to try and infect its users e.g. via updates etc., something i feel is going to be a common occurrence in the next few years Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 8, 2019 Share Posted May 8, 2019 Considering the "chaotic" situation the Firefox browser is presently in; e.g. letting its root certificates expire, multiple rapid fire updates to fix it, etc., this FP by Eset is perfectly understandable. Link to comment Share on other sites More sharing options...
Recommended Posts