Sophos Home antivirus is reporting lockdown(ransomeware) alerts from Firefox
Hi, I have Firefox, OneNote and Synology Drive installed on my computer. Now since the latest update of Firefox, I have been getting ransomware lockdown detections with Firefox being flagged. I have looked through the Application event logs and it appears that Firefox is trying to adding OneNote and Synology Drive to the startup folder. Why is Firefox trying to write a Link file to the Startup folder? Here is the log concerning the OneNote app. Thank you.
Mitigation Lockdown Policy LockdownAutorun Timestamp 2024-02-20T22:17:07
Platform 10.0.19045/x64 v1391 af_21 PID 18656 Enabled 007D1E3C1DBFB004 Silent 0020040000000000 Application C:\Program Files\Mozilla Firefox\firefox.exe Created 2024-02-20T15:45:09 Modified 2024-02-20T15:45:13 Description Firefox 123
Operation WriteFile Path C:\Users\Arneg0\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
Code Injection 00450000-00451000 4KB [12612]
Dropped Files 1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\safebrowsing-updating\google4\goog-phish-proto-1.vlpset
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\F0C3AB56A47F1D43335F64620FA75A883EA51041
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\safebrowsing-updating\google4\goog-phish-proto.metadata
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\safebrowsing-updating\google4\goog-malware-proto-1.vlpset
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\safebrowsing-updating\google4\goog-malware-proto.metadata
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\safebrowsing-updating\google4\goog-unwanted-proto.metadata
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpset
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\safebrowsing-updating\google4\goog-badbinurl-proto.metadata
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Roaming\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\prefs-1.js
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\E4A4FC8B84F9DBE40C3AC31A0FD7DD0C05E1A2D8
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\1D610A75A1AA41D937495016246900C148FFF100
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\B26870E8C357A979BC7996D36BB65882A1A931F6
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\B875CB119C902063C1F1BEA0923E10E7582A601E
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\5ED962925E9EB81A8D6CF5DD3B4D8E1062A3269C
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\16B454A024E2998A1A5179AECD9D4FAFC35DA5F0
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656] Read by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Roaming\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\storage\default\https+++www.twitch.tv\ls\data.sqlite-journal
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Roaming\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\storage\default\https+++www.twitch.tv\ls\usage-journal
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Roaming\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\storage\default\https+++www.twitch.tv\ls\usage
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\A09CEBA797670F9F322381632DA8B160F2516145
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\90FDD16FEC2000F8A1638D97EE308DC95C81F92E
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\2CA398E11CC09B7375DA57208EFD3BD5BA904D46
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\BB3FDA56C845381CA42D5535991068839482CC73
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\DFE66C4D7022795B214F054C6489A4960D8635D2
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LWQ6ATYVPICL41BX0E15.temp
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656] Read by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1395580.TMP
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\7B78609CCAC2A95BFB50E4412A1CD4381822F341
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\30D08DA2677C986EEFF06436ED0E1D62D4704BC8
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\76063E3CB6F34C5778F3F17716B3F02763AE69A4
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\53BE287F70ECC0DADE19CF4044AC17F5450342CA
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\EDAA3CAACD09458C19D836A97B151EB0FEC2E240
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\92E4DAC44A4A41203044433578B1DA2607D4ABD3
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\162113EFD4A1D10ECF2E34EB3C3A79838C48A6A3
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\7678EADF141B0695384E70583BC45C046885DB03
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\4B03778870D38C04133C992D94C498A4D8333240
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\65C5E8C0E0CFAD30BA2751E8B93870A60D5C458E
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Roaming\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\sessionstore-backups\recovery.jsonlz4.tmp
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656] Read by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\8F558043B6E703B023F3EE16A400ADD300732AB0
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\028813CD189F0915003E31741A3385D0840B87F9
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\C9D138E1A2A2720D09F802FCB41691CA12FB13C0
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\3ACFC24ACC057B04A94A1D2437C9188FB79D7A74
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\2A27A420C3B671498AD9D51EDC787CCC833C5DF4
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\0A077FC4D3EB170EEDE2B82BB1C5C2E874EE5684
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\657EDFAB2534BE4952BE847A29CC490C7F485A1E
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\324F546D1CFD31451DFFA89094CCB09A0EBF3E0C
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\829EC95947AC7C0668D89F076B8D52BD9BEFC257
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\CF78C58F3F07D2811AD45F09DAD6CD127726172B
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\B6DF3D96BC3C34C62E3381523C1FEBAF53B75726
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\789FC910E8613BB8B153A483F53D8F454E9F754E
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\6D3F7679DE669FE907C25AA217A170EFCB990316
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\497E43835EDC32C90C3A71406002856DEB0401E8
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\877E31BC2662B8A30FB4D07C97557FE67FDC83AF
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\63A71C5B8107B520D731D707F82E06868F9AB76C
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\11CA6CD047F198930B97BE77142920BEC9A1B5DE
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\C86E275D99B7A4CA2F45EFF77F872CB15641417A
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\index.tmp
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\BB8051E73E4A3BC9B341560F568DBFFD67C9B944
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\F6EDC23F4517262DFA8483168066C851639759D2
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\23EF2854D2CDBFFF4A0FF333628BBBBDE6E5E2DB
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\840569D6AB4082A21E907E0FE8609C7BDDC5705A
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
1 C:\Users\Arneg0\AppData\Local\Mozilla\Firefox\Profiles\lpygdt4d.default-release-1668786949531\cache2\entries\1C207E4A3435CFDFBE69145CCA477FCEE1043E3F
Dropped by C:\Program Files\Mozilla Firefox\firefox.exe [18656]
所有回复 (2)
Firefox uses the secondary profile folder in "\AppData\Local" to store tempary data. Items with \cache2\entries are about Firefox storing files in the disk cache and are quite normal. Items with safebrowsing-updating are about Firefox updating files used by Safe Browsing (phishing/malware protection).
- https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware
- https://support.mozilla.org/en-US/kb/Firefox+cache+file+was+infected+with+a+virus
Firefox uses two locations in the hidden "AppData" location for the Firefox profile folder. One location in "AppData\Roaming" for personal data like bookmarks and logins and another location in "AppData\Local" for temporary files like the disk cache.
Primary location used for the main profile that keeps your personal data (Root Directory on about:profiles).
- C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>
Secondary location used for the disk cache and other temporary files (Local Directory on about:profiles).
- C:\Users\<user>\AppData\Local\Mozilla\Firefox\Profiles\<profile>
The "Open Firefox automatically when you start your computer" feature might be touching other startup files which is tripping the security software. Check the Startup folder and see if "Send to OneNote.lnk" already exists.