Windows flags extension as malware

[recursiveribbons]

Windows/Microsoft Defender detects the file gdpr@cavi.au.dk.xpi in the Firefox extensions folder as malware containing Trojan:Script/Wacatac.B!ml

This also happens when I install a fresh copy of the extension from Firefox

[rebelonion]

This happened to me as well Floorp 11.10.5 (Built on Firefox 115.0) extension version: 1.0.13

[Mojmilovo]

Same here, LibreWolf 123.0.1-1

[avgeeklucky]

Same here, Firefox 123.0.1, extensions 1.0.13. Virus Total does not seems to find anything.

[Irefusetoenterausername]

Same with the current release of Firefox. Windows stopped my whole file backup/system image I was running last night just because of it.

Edit: Firefox version 123.0.1, Windows 10. I reported it to Microsoft as a false positive through here: https://www.microsoft.com/en-us/wdsi/filesubmission. Perhaps it would help if others also submitted reports to them to help confirm it's status on Windows Defender.

[svnhub]

It doesn't seem like the built in scanner in Windows 10 from Microsoft (Windows Security) tags this with the definitions from 18/3/2024. Nor does ClamAV or a bunch of random online scanners. I briefly looked inside the xpi (which is in fact just a zip file if you rename it) and it looked like it contains just the ordinary js files, icons, html and so on from the extension. Will have to do a diff towards our github repo to see if it got infected while it was in-flight.

So just to be clear this is all happening with the Windows/Microsoft Defender App that you have to manually install, not the built in one? And only on Firefox, not Chrome (which is completely identical)?

[recursiveribbons]

For me, this is the antivirus that was bundled with Windows 11 itself, either called Windows or Microsoft Defender it's not very clear. And I only tested on Firefox as that's the browser I have.

I've submitted a false positive report to Microsoft

[kevin-wijnen]

So just to be clear this is all happening with the Windows/Microsoft Defender App that you have to manually install, not the built in one? And only on Firefox, not Chrome (which is completely identical)?

Microsoft Defender should be pre-installed on Windows 11 at the very least.

I got the same alert with the built-in Microsoft Defender for W11 on Firefox too.

[Irefusetoenterausername]

This is happening with the built in AV for Windows 10 for me as well, Windows Security/Defender.

[svnhub]

Could you provide the md5 sum of the xpi file exactly as it is when it is tagged by Windows/Microsoft Defender? For example by dropping it on this page: https://emn178.github.io/online-tools/md5_checksum.html

What version of the Windows/Microsoft Defender/Security antivirus definitions is this being flagged with?

[ClankZigzagSite]

Could you provide the md5 sum of the xpi file exactly as it is when it is tagged by Windows/Microsoft Defender? For example by dropping it on this page: https://emn178.github.io/online-tools/md5_checksum.html

What version of the Windows/Microsoft Defender/Security antivirus definitions is this being flagged with?

md5 sum of the xpi file - 7089c7f7408497b8264c2f46ecb60e6e

Microsoft Security Essentials Virus definition version:1.407.617.0 Spyware definition version:1.407.617.0

[svnhub]

Just wanted to provide an update on this so it doesn't look like we are ignoring the issue entirely: The MD5 provided by Clank above matches the one distributed from Firefox's extension CDN, which means it isn't a case of client-side infection.

The description of the virus from the public pages at MS is too vague.

We have opened a case with their Security Intelligence support team to gain more information but this is complicated by the fact that no-one here has been able to reproduce the issue locally on neither the built in antivirus nor any of the paid for Microsoft Defender / Security (Essentials) variants that all in essence seem to be the same product. In a similar vein the MS team is unable to detect anything using their automated Client or Cloud solutions and we are now waiting for them to manually go through the extension file to pinpoint the exact file inside it that triggers this issue.

I recommend against working with potential virus files, but if one of you who consistently get this trigger happened to have an environment were this could be done safely (and an adventurous soul) and were to unpack the xpi (it is actually a .zip file if you rename it) and scan the directory, then the results of that scan could be interesting.

[svnhub]

Microsoft's team reached the conclusion that the extension is not malware and left the following comment (which is mostly targeted at people running Windows Defender and not the other variants of the antivirus software):

At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 
 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
 3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

[svnhub]

Closing this as Microsoft has updated their definitions to avoid this false positive detection