• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?

Does anyone have any insight into the attached ER.Heur!gen1 detection I had a few days ago or how I can file a false positive report?

According to SystemLookup {ec8030f7-c20a-464f-9b0e-13a3a9e97384} is the default GUID for Firefox itself and the %Appdata%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} location "is a generic folder where Firefox extensions might be installed - see global extensions. The extensions located in the folder require individual checking.  Extensions installed in this way do not have Remove button in the Add-ons Manager."

The section titled Global Extensions in the MozillaZine article Uninstalling Add-ons also states "Extensions may also be globally installed into a predefined user directory for Mozilla extensions. For example, an extension may be installed for Firefox on Windows, into the %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\ folder, which makes it accessible to all Firefox profiles for that Windows user."

All my browser extensions seem to be working normally in my default FF user profile.  As far as I can tell Norton's heuristic protection removed my hidden C:\Users\<username>\AppData\Roaming\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} folder that is normally reserved for storing global extensions (a default folder that may or may not be critical for normal functioning of my FF ESR v52.x browser) after mistaking the GUID {ec8030f7-c20a-464f-9b0e-13a3a9e97384} in the folder name as a rogue toolbar extension or some sort of PUP.  I tried to file a false positive report at https://submit.symantec.com/false_positive/ but couldn't finish the submission because there's no actual file, SHA-256/MD5 hash or URL associated with the detection.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.14.2.13

Replies

Kudos0

Re: How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?

Hello lmacri

Your file attachment shows threat was removed. Threat Removed  Is there anything in your quarantine in your History Logs under Quarantine? Can you enter that line where it shows Directory and say threat was removed?

Have a Good Night and

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.14.2.13 Core Firmware 237 I E 11
Kudos0

Re: How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?

Hi floplot:

From the log exported from my security history that was attached to my original post:

____________________________

File Actions

Directory: C:\Users\Lori\AppData\Roaming\mozilla\extensions\ {ec8030f7-c20a-464f-9b0e-13a3a9e97384} Threat Removed
____________________________

The only odd thing I can see is that there's a space in the pathname (i.e.,...\extensions\ {ec8030f7..., not ...\extensions\{ec8030f7-c...) in the security history log.  That space isn't shown in the pathname of this default Firefox directory for global extensions in the support articles on SystemLook and MozillaZine I referenced above, but that space is likely just an artifact in the log to show the specific subfolder that was removed.

AFAIK I've never installed a global extension that could be shared between my Firefox user profiles, which is probably why I haven't noticed a change in the behaviour of my FF ESR v52 browser since Norton quarantined the directory.

EDIT:

It's a bit confusing, but the log seems to show that the entire default directory for storing global extensions was removed, not a .XPI file for a browser extension inside the directory as I might have expected if an unwanted browser extension (PUP) was detected.  Here's an log excerpt from a false positive detection I always see when I try to run the Farbar Scan Recovery Tool (FRST.exe) utility if the executable file is quarantined before I can whitelist it.

____________________________

File Actions

File: c:\users\lori\desktop\ frst.exe Removed
____________________________

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.14.2.13

Kudos0

Re: How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?

Hello

I have seen in  the malware removal sites, they ask you to disable your security program before you run FRST scan.

Have a Good Night and

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.14.2.13 Core Firmware 237 I E 11
Accepted Solution
Kudos0

Re: How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?

Can anyone from Norton/Symantec tell me if the deletion of my C:\Users\<username>\AppData\Roaming\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} folder that is normally reserved for storing global extensions was a false positive detection?

Right now my options are:

  • Leave this predefined Firefox user directory in quarantine and wait to see if the removal has corrupted my browser.
  • Restore the folder from quarantine and hope that this ER.Heur!gen1 detection was a false positive detection of an empty folder (i.e., and not a real detection of an attempted installation of an unwanted toolbar extension / PUP that doesn't have a Remove button in Tools | Add-ons).
  • Create a new Firefox profile, recover my bookmarks and other customized settings, and then re-install and re-configure all my browser extensions and plugins (which I really don't want to do).

If I can't figure out how to report this detection as a possible false positive I'm just concerned that other XP and Vista users who use the Firefox ESR v52.9.0 browser that is compatible with these older OSs (i.e., without the Quantum engine introduced in FF v57) will eventually run into the same problem.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.14.2.13

Kudos1 Stats

Re: How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?

Imacri, 

Re: How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?
Posted: 16-Jul-2018 | 1:12PM • Permalink

Can anyone from Norton/Symantec tell me if the deletion of my [...]

I've bumped upstairs.