How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?

Does anyone have any insight into the attached ER.Heur!gen1 detection I had a few days ago or how I can file a false positive report?

According to SystemLookup {ec8030f7-c20a-464f-9b0e-13a3a9e97384} is the default GUID for Firefox itself and the %Appdata%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} location "is a generic folder where Firefox extensions might be installed - see global extensions. The extensions located in the folder require individual checking.  Extensions installed in this way do not have Remove button in the Add-ons Manager."

The section titled Global Extensions in the MozillaZine article Uninstalling Add-ons also states "Extensions may also be globally installed into a predefined user directory for Mozilla extensions. For example, an extension may be installed for Firefox on Windows, into the %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\ folder, which makes it accessible to all Firefox profiles for that Windows user."

All my browser extensions seem to be working normally in my default FF user profile.  As far as I can tell Norton's heuristic protection removed my hidden C:\Users\<username>\AppData\Roaming\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} folder that is normally reserved for storing global extensions (a default folder that may or may not be critical for normal functioning of my FF ESR v52.x browser) after mistaking the GUID {ec8030f7-c20a-464f-9b0e-13a3a9e97384} in the folder name as a rogue toolbar extension or some sort of PUP.  I tried to file a false positive report at https://submit.symantec.com/false_positive/ but couldn't finish the submission because there's no actual file, SHA-256/MD5 hash or URL associated with the detection.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.14.2.13

Hi Sunil_GA:

Thanks for your response.  I've sent you a PM with further details.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.14.2.13

Hi @lmacri,

Sorry for the delay in response. Can you please submit quarantined folder to FP for for further investigation to determine if this is False positive detection or not? Thanks

Also,

- Is your Firefox browser working without any issues?

- Do you have this folder recreated in same location? 

 

@Gayathri_R

@Mohan_G

@Sunil_GA

Can anyone help Imacri, please ?

To add insult to injury, I contacted Norton Customer Support via Live Chat on 17- Jul-2018 as I was asked to do by a Symantec employee in a PM, and my Inbox is now being flooded with automated e-mails from nortonsupport2 @ symantec.com all stating "Thank you for contacting Norton support! Your case number is xxxxxxxx. If you have any further queries in the meantime, please do not hesitate to contact us again quoting your case number." I'm receiving this same e-mail multiple times a day and getting 2 to 3 copies (all with the identical date/time stamp) each time another e-mail blast goes out.

I never did receive a definitive answer about whether my ER.Heur!gen1 detection was a false positive (and I'm past the point of caring now), so I hope Norton Customer Support doesn't expect me to contact them again and ask them to mark my case as solved just to put a stop to these e-mails.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.14.2.13

Imacri, 

Re: How Do I Report ER.Heur!gen1 False Positive for Firefox Directory?
Posted: 16-Jul-2018 | 1:12PM • Permalink

Can anyone from Norton/Symantec tell me if the deletion of my [...]

I've bumped upstairs.  
 

Can anyone from Norton/Symantec tell me if the deletion of my C:\Users\<username>\AppData\Roaming\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} folder that is normally reserved for storing global extensions was a false positive detection?

Right now my options are:

  • Leave this predefined Firefox user directory in quarantine and wait to see if the removal has corrupted my browser.
  • Restore the folder from quarantine and hope that this ER.Heur!gen1 detection was a false positive detection of an empty folder (i.e., and not a real detection of an attempted installation of an unwanted toolbar extension / PUP that doesn't have a Remove button in Tools | Add-ons).
  • Create a new Firefox profile, recover my bookmarks and other customized settings, and then re-install and re-configure all my browser extensions and plugins (which I really don't want to do).

If I can't figure out how to report this detection as a possible false positive I'm just concerned that other XP and Vista users who use the Firefox ESR v52.9.0 browser that is compatible with these older OSs (i.e., without the Quantum engine introduced in FF v57) will eventually run into the same problem.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.14.2.13

Hello

I have seen in  the malware removal sites, they ask you to disable your security program before you run FRST scan.

Have a Good Night and

Thanks.

Hi floplot:

From the log exported from my security history that was attached to my original post:

____________________________

File Actions

Directory: C:\Users\Lori\AppData\Roaming\mozilla\extensions\ {ec8030f7-c20a-464f-9b0e-13a3a9e97384} Threat Removed
____________________________

The only odd thing I can see is that there's a space in the pathname (i.e.,...\extensions\ {ec8030f7..., not ...\extensions\{ec8030f7-c...) in the security history log.  That space isn't shown in the pathname of this default Firefox directory for global extensions in the support articles on SystemLook and MozillaZine I referenced above, but that space is likely just an artifact in the log to show the specific subfolder that was removed.

AFAIK I've never installed a global extension that could be shared between my Firefox user profiles, which is probably why I haven't noticed a change in the behaviour of my FF ESR v52 browser since Norton quarantined the directory.

EDIT:

It's a bit confusing, but the log seems to show that the entire default directory for storing global extensions was removed, not a .XPI file for a browser extension inside the directory as I might have expected if an unwanted browser extension (PUP) was detected.  Here's an log excerpt from a false positive detection I always see when I try to run the Farbar Scan Recovery Tool (FRST.exe) utility if the executable file is quarantined before I can whitelist it.

____________________________

File Actions

File: c:\users\lori\desktop\ frst.exe Removed
____________________________

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.14.2.13

Hello lmacri

Your file attachment shows threat was removed. Threat Removed  Is there anything in your quarantine in your History Logs under Quarantine? Can you enter that line where it shows Directory and say threat was removed?

Have a Good Night and

Thanks.