Author Topic: Is prefs.js a false positive?  (Read 7940 times)

0 Members and 1 Guest are viewing this topic.

Offline Traxy

  • Newbie
  • *
  • Posts: 6
Is prefs.js a false positive?
« on: March 22, 2022, 07:23:42 PM »
Had an alert for prefs.js (Firefox profile settings file) come up and be quarantined.

Threat name: VBS-Gamaredon-CM [Apt]
Threat type: Advanced persistent threat - This is a targeted attack in which an attacker hides out on your network to spy on you or steal your data.
File path: C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\nn7c461p.default-release\prefs.js
Process: C:\Program Files\Mozilla Firefox\firefox.exe
Detected by: File Shield

Alert ID: 9aade828c058/220322.1742+0000

From what I can tell from googling, it's not unusual for the file to be flagged by some programs as a false positive. Sometimes it can flag up when Firefox is looking for updates. Ran a scan with MalwareBytes as well and it didn't find any issues, hence why I'm wondering if it's something I should be concerned about or if it's a false positive.

In quarantine it's listed 12 times between 17:42 and 17:45. I've sent the latest one to be analysed, as the option was there.

Gamaredon appears to be a Russian hacker group known for picking Ukrainian targets, but I'm nowhere near Ukraine.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Is prefs.js a false positive?
« Reply #1 on: March 22, 2022, 07:32:37 PM »
Also reported here - https://forum.avast.com/index.php?topic=318638.0

I use Firefox (latest version) as my default browser and so far I haven't bumped into this.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline LukasJ

  • Avast team
  • Jr. Member
  • *
  • Posts: 86
Re: Is prefs.js a false positive?
« Reply #2 on: March 22, 2022, 08:27:26 PM »
Hi, it was False Positive. It should have been already fixed.
Lukas
« Last Edit: March 22, 2022, 08:43:47 PM by LukasJ »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Is prefs.js a false positive?
« Reply #3 on: March 22, 2022, 08:55:58 PM »
Hi, it was False Positive. It should have been already fixed.
Lukas

Thanks for that.

Though I haven't been impacted in this, is there a way for those effected to be able to get back into their firefox thunderbird profiles ?

EDIT: Or is it a case of restoring the prefs.js file if it was sent to the virus chest ?
« Last Edit: March 22, 2022, 08:57:38 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline papinianos

  • Newbie
  • *
  • Posts: 11
Re: Is prefs.js a false positive?
« Reply #4 on: March 22, 2022, 08:57:05 PM »
Hi, it was False Positive. It should have been already fixed.
Lukas

I have a huge problem, especially with MOZILLA THUNDBIRD. I cant access my email accounts and my emails.

Should I restored the prefs.js back to its original location or what?
 

Offline papinianos

  • Newbie
  • *
  • Posts: 11
Re: Is prefs.js a false positive?
« Reply #5 on: March 22, 2022, 09:19:57 PM »
Hi, it was False Positive. It should have been already fixed.
Lukas

Thanks for that.

Though I haven't been impacted in this, is there a way for those effected to be able to get back into their firefox thunderbird profiles ?

EDIT: Or is it a case of restoring the prefs.js file if it was sent to the virus chest ?


The quarantined prefs.js file of my Mozilla thunderbird has 4 options: 1) restore, 2) restore and add exception, 3 ) extract and 4) send for analysis.

Can I use the EXTRACT first, in order to be absolutely sure that I'll have backed up safely the file before I use the restore option, or I am thinking it wrong?

 

Offline guitarhero

  • Newbie
  • *
  • Posts: 16
Re: Is prefs.js a false positive?
« Reply #6 on: March 22, 2022, 09:21:05 PM »
Hey everyone, I had the exact same issue on one of my computers.

What I found odd is that initially I kept getting the pop-up even when Firefox wasn't running. When I restarted my computer it stopped. I ran some system scans and they came up clean.

Also, some of my settings in Firefox were changed (my home page had changed, along with a few other settings). I don't really understand why.

But if it's a false positive and fixed then great.


Offline papinianos

  • Newbie
  • *
  • Posts: 11
Re: Is prefs.js a false positive?
« Reply #7 on: March 22, 2022, 09:48:45 PM »
I restored the prefs.js file back to the profile folder in the thunderbird and THANK GOD everything is as it should be.Phewwwwww......

Offline Traxy

  • Newbie
  • *
  • Posts: 6
Re: Is prefs.js a false positive?
« Reply #8 on: March 22, 2022, 10:04:41 PM »
Hi, it was False Positive. It should have been already fixed.
Lukas
Phew! Good to know. Thank you!

Offline LukasJ

  • Avast team
  • Jr. Member
  • *
  • Posts: 86
Re: Is prefs.js a false positive?
« Reply #9 on: March 22, 2022, 10:07:39 PM »
Yes, you can restore prefs.js. It should solve the problem with thunderbird profiles.
Lukas

Offline CBinRIC

  • Newbie
  • *
  • Posts: 5
Re: Is prefs.js a false positive?
« Reply #10 on: March 22, 2022, 10:43:16 PM »
BUT, AVAST created multiple Thunderbird (and Firebird) profiles. 

When I extracted each named for sequence quarantined, the first Thunderbird profile was largest, 61KB, and subsequent profiles for as small as 1 KB.

I am assuming that first and largest is correct and subsequent profiles were created and quarantined because Thunderbird and AVAST were both running.

In contrast, the first couple of Firefox profiles were the same size.

Should the FIRST profile quarantined be the one to RESTORE?

Offline LukasJ

  • Avast team
  • Jr. Member
  • *
  • Posts: 86
Re: Is prefs.js a false positive?
« Reply #11 on: March 22, 2022, 11:11:08 PM »
Hmmm. It's good question. I am not sure. I would guess the firstly quarantined will be the file you need. Try to restore the first file. If it will not help then create a copy of this file and restore another.

Offline emwillsea

  • Newbie
  • *
  • Posts: 4
Re: Is prefs.js a false positive?
« Reply #12 on: March 23, 2022, 12:03:12 PM »
On Twitter, Avast advised me to attempt to restore the first quarantined file however Avast wouldn't restore the files for me in TB or FF.  I hope Avast have a solution.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Is prefs.js a false positive?
« Reply #13 on: March 23, 2022, 12:58:43 PM »
Good that avast team reacted.
Also read here: https://support.mozilla.org/en-US/questions/1280774

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline CBinRIC

  • Newbie
  • *
  • Posts: 5
Re: Is prefs.js a false positive?
« Reply #14 on: March 23, 2022, 01:07:57 PM »
On Twitter, Avast advised me to attempt to restore the first quarantined file however Avast wouldn't restore the files for me in TB or FF.  I hope Avast have a solution.

I was able to use EXTRACT to save a copy of each PROFILE onto my HD in a temporary file.  The quarantine lists the original location of the file. I believe you should be able to replace file in TB and FF with the corresponding FIRST quarantined file that was EXTRACTED. 

You can find explanations on line for how to move both TB and FF from one computer to another. (I have successfully done this when rebuilding a laptop after updating the OS.)  Moving the Profile seems analogous to PART of that process.