Avast and Firefox False Positive-Answered

[Spiritual2016]

Avast Free Antvirus Version 22.2.6003
Firefox 98.0.1

What Happened:

At 10:45am Pacific (and using the latest version of Firefox), I opened an email survey link from a legit company that I am a member of..

A pop-up was displayed 'Avast Blocking Prefs.js File.' I attempted to open the link two more times and the tab opened but the survey page would not open-Three copies of this file were placed in the 'Quarantine' section, showing the same time.

I was about to sign into the Avast forum when another pop-up was displayed 'Avast Has Safely Aborted 'VBS.Gamaredon-CM(Apt).'

I ran a smart scan and a full scan (but no issues were detected) so the computer was restarted and there have not been any further issues.

Next Steps:

-What are the next steps, does a setting need to be changed, and can the three copies of the Quarantine file be deleted)?

[Bc102]

Just got this myself today, 05:42PM, 05:43PM, 05:45PM and 05:49 GMT VBS:Gamaredon-CM [Apt] Prefs.js

[DavidR]

@ Spiritual2016

I use Firefox (latest version) as my default browser and so far I haven't bumped into this.

Also reported in another topic - https://forum.avast.com/index.php?topic=318639.0

[Spiritual2016]

-

[CBinRIC]

I got the same msg for BOTH Firefox and Thunderbird profile files 3/22/22 at 1:30 PM EDT using free AVAST.  Have newest versions of both Mozilla products that automatically update.

Have been into both Mozilla programs earlier today without complaint from AVAST.

[lenslark]

I also got the message that pref.js was infected by VBS Gamaredon-CM en placed into quarantine
i ve send the file to avast for analysis

[MRTMN]

I'm seeing the same thing, but with the pref.js in Thunderbird. Hoping it's a false positive - submitted the file to Avast.

How do we track the false positive analysis?

[Pondus]

Updated Feb. 16 to include new information on Gamaredon infrastructure and Indicators of Compromise

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/


Microsoft discloses new details on Russian hacker group Gamaredon

https://maislsenders.com/2022/02/04/microsoft-discloses-new-details-on-russian-hacker-group-gamaredon/

[Spiritual2016]

-

[Pondus]

The link(s) i posted only explaine what the gamaredon detection is, it does not say if the file in Your or others case is a FP

But there is a new post/reply from avast team here.  https://forum.avast.com/index.php?topic=318640.0

[papinianos]

Avast Premium Security destroyed Firefox and Mozilla Thundbird with the pref.js files of the browsers as infected files with VBS Gamaredon-CM.

I don't have my email accounts and my emails accessible anymore.

PLEASE HELP !

[emwillsea]

Is that official from Avast and not just from a forum post?
This problem appears to have quarantined my Firefox profile and my Thunderbird profiles are now missing although all the quarantined files look like they come from Firefox.

[Hopper15]

I got the same thing today as well. The files are in my quarantine. I had to refresh Firefox.

[CBinRIC]

Reddit user running AVG also reported infection by VBS:Gamaredon-CM about 2 hr ago.   This may not be an AVAST issue. 

https://www.reddit.com/r/ukraine/comments/tk8q8z/is_anyone_else_getting_notifications_for_malware/

[emwillsea]

When attempting to restore the quarantined .js file and overwrite the existing file, it cannot do this.  Where do we go from here?