Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Autoupdate always results in file XUL.DLL deleted by Norton AV resulting in dead Ffox, only fix is use IE to reinstall from Mozilla, Norton OK with XUL.DLL here

  • 12 replies
  • 4 have this problem
  • 730 views
  • Last reply by sqaeng

more options

Whenever Firefox auto-update runs Norton360 detects a virus in the updated xul.dll file (the virus is identified as: Suspicious.Cloud.9.B a heuristic virus) and deletes it from the "Mozilla firefox/updated" folder. When Firefox tries to restart it inevitably crashes. I then have to load another browser to download Firefox from the Mozilla website. This version (supposedly the same as the version loaded by auto-update) installs without complaint from Norton360 (note: Firefox keeps its previous settings OK). 1. Is there any difference between the two versions of xul.dll? 2. does the xul.dll file contain a virus? and 3. How can I get an auto-update to work first time?

Chosen solution

I've experienced this error condition for several of the recent updates to FireFox (38.0.5 Funnelcake June 2015 Mozilla 39-1.0). My security system is Comcast-supplied Norton Security Suite Ver. 22.5.2.15, on a Win XP installation. Now, when an automatic update to FireFox is announced, I avoid this error by 1) disabling NSS Auto Protect, 2) installing the latest FireFox update, 3) re-enabling NSS Auto Protect. There are no warning messages and the updated FireFox runs unremarkably.

Read this answer in context 👍 0

All Replies (12)

more options

Hi AHawkins:

This Suspicious.Cloud.9.B detection of xul.dll (Mozilla Runtime) is a false positive and a common problem for many Norton users running Win XP SP3. Norton acknowledged the problem in March 2015 (see Symantec employee Mohan_G's post <here>) but no further feedback has been posted by Symantec since then.

See the following links in the Norton forum for more info: Updater.exe is Really xul.dll (Suspicious.Cloud.9.B)? Problem with Firefox 36.01 Update


32-bit Vista Home Premium SP2 * Firefox 38.0.5 * NIS 2014 v. 21.7.0.11

Modified by lmacri

more options

Hi Imacri

Thanks for the link to the Norton Forum, and like many others there I have been having this problem since (at least) version 36.0 I was mainly puzzled by the fact Norton reacts to the version of xul.dll installed by the auto-updater, but not the version provided by the clean install even though they should be the same (this is possibly a question for Norton?).

It looks as though I will have to use the "Notify Me of Updates" option for firefox and then do a manual install.

Also to confrm, yes I am using WinXP SP3.

more options

Hi AHawkins:

Did this detection happen when you were updating to the latest Firefox v38.0.5 and are you using the latest N360 v21.7.0.11? Regardless, it might be a good idea to post in Pixma's thread Problem With Firefox 36.01 Update and let them know your xul.dll was quarantined when your FF browser auto-updated, since that is the thread that Symantec employee Mohan_G is supposedly monitoring.

I've looked through some of the related threads in the Norton forum and the problem does seem more prevalent if your allow Firefox to auto-update (i.e., when Tools | Options | Advanced | Firefox Updates | Automatically install updates... is enabled). Suspicious.Cloud.9.B is a heuristic (behaviour-based) detection so it could be the behaviour of the updater.exe file that is triggering the quarantine of xul.dll.

Since this is a known false positive for Win XP users, you can restore your xul.dll file from quarantine as instructed in the Norton support article Restoring an Item from the Quarantine to get Firefox working again if this problem reoccurs in the future. Choose the option to Restore & Exclude this File to ensure Norton Auto-Protect does not re-quarantine xul.dll. Once the xul.dll file is restored to its original location you should also submit a false positive report to Symantec as instructed at https://submit.symantec.com/false_positive/ to ensure Symantec is aware of the problem and has a sample of the file for analysis. Xul.dll is ~ 35 MB (i.e., larger than the max 20 MB file size for attachments) so it will have to be compressed and saved as a .zip file using file compression software such as WinZip or WinRAR before it can be uploaded for analysis.

Some Win XP users have reported that Firefox updates normally if they disable auto-updates (Tools | Options | Advanced | Firefox Updates | Check for updates, but let me choose whether to install them) and then manually update with the stub installer from Help | About Firefox after they are notified that a FF update is available. However, it might be safer to download the full ~ 39 MB offline installer from https://www.mozilla.org/en-US/firefox/all/ , close your FF browser and then run the offline installer to perform future updates - at least until Symantec confirms they have fixed the problem.


32-bit Vista Home Premium SP2 * Firefox 38.0.5 * NIS 2014 v. 21.7.0.11

Modified by lmacri

more options

My suggestion is to consider using a different Security Suite, like maybe one that doesn't produce false positives like that and "ruin your day".

more options

Or even an OS that is still supported. I note the free MSE updates appear to have ceased

more options

@john99:

The Norton Support article Is My Windows XP Computer Still Protected After Microsoft Stops Supporting It states the following: "Your Norton products will continue to support Windows XP for the foreseeable future " so there's no excuse for Norton to ignore bugs / false positives that are specific to Win XP computers.

@the-edmeister

Most Norton products come with a 60-day money-back guarantee so switching to a new AV might be a viable option, but if AHawkins activated their Norton product more than 60 days ago then uninstalling their Norton product after purchasing an annual subscription could be a costly option.


32-bit Vista Home Premium SP2 * Firefox 38.0.5 * NIS 2014 v. 21.7.0.11

Modified by lmacri

more options

Talking about, cost which isn't really within this forum's scope, certainly at one time it was cheaper to alternate AV providers as introductory offers were way cheaper than contract renewals.

Thanks for your input lmacri We aren't here to provide Norton Support, but it is good to have links; you are able to provide; to Norton's information to help Firefox users.of Norton

more options

Norton has been doing a similar false positive with the SeaMonkey suite for over a few years now and Norton has yet to bother to fix it. As a result it has been listed as a known issue in SeaMonkey release notes since.

Example : http://www.seamonkey-project.org/releases/seamonkey2.33/#issues

more options

Many thanks for your all your comments.

As with most things, the problem is not in any one program, but the interaction between the two. Unfortunately the behaviour of the auto-update is such that it is invoked when there is a running copy of Firefox on the machine so it has to load its components in a temporary directory within the Mozilla directory structure to wait for the next instigation of Firefox, at which time it can replace the files in the main directory with those in the "updated" directory. This waiting and replacing behaviour is exactly the type of thing Norton expects of Heuristic viruses and reacts accordingly. As each version of xul.dll has a different signature, Norton has elected to give a false positive with each new version rather than risk allowing an infection. (I personally prefer they err on the side of caution). The earlier forms of the updater used to ask the operator to close Firefox before it would proceed and this behaviour doesn't appear to trigger a reaction from Norton (so far as I can remember). I always select the "notify me of updates" option and, where possible, select the "custom" or manual update procedure for all programs I use so I can control (or at least see) what these programs are doing to MY hardware, although in most cases I end up with the default options anyway. Recently I have tended to invoke the update installer by clicking on the download icon in Firefox and selecting the setup executable from there resulting in the virus detection and its consequences, in future I will try to download the setup executable and save it to an area I have for updates and run it from there after closing Firefox.

I will keep this thread open in the meantime until the next round of updates.

For your info Imacri: The detection occurred with the latest versions of Norton360 (21.7.0.11 and renewed in mid March) and Firefox v38.05, I have not yet posted to Pixma's thread as I was trying to understand the underlying nature of the problem (now all I need is another update to test the theory ;-} )

more options

Another round of Updates (Firefox 39.0.1) and another Suspicious.Cloud.9.B virus alert.

Firefox update alert appeared so I closed Firefox and then ran the updater. Norton came back with the usual virus alert. I went into Norton to reinstate xul.dll from quarantine, told Norton360 not to check this file in the future and allowed the update to complete.

When I got Firefox running (required a reboot!) I looked at "Help - About Firefox" and was told I am still running 38.0.5 and have an "Update to 39.0" button showing in the help-About dialogue box. So I selected/clicked on the "Update to 39.0" button.

Virus warning number 2 and deleted xul.dll file-AGAIN. Clicked Restore and got asked (I paraphrase) Where to? I told it to use my update directory (completely different hard drive) so that I could reposition it manually. Norton could not make a suggestion as by now the directory from which it had been deleted no longer existed - the directory was deleted by firefox when it tried to complete the update (only to find the runtime file (xul.dll) was missing). I manually copied the xul.dll file to the "Program Files\Mozilla Firefox" directory and was finally able to run version 39.0 Firefox.

In future I think I will have to ignore the update dialogues that pop-up in Firefox for at least a week to give Symantec a chance to update Norton.

more options

The number of times I have seen Norton do this false positive with Firefox versions has been small compared to the postings about this false positive with SeaMonkey on the independent forums.mozillazine.org

There is no chemspill update (39.0.1) for the 39.0 Release yet.

Though it does happen with Firefox users and maybe more so for Windows XP users as for example it did this with Firefox 36.0.1 http://community.norton.com/en/forums/problem-firefox-3601-update

recent https://community.norton.com/en/forums/suspicious-cloud-9-0

If you can try to report to them so they will more likely to make an effort to fix it. They may not bother with the same issue with SeaMonkey so much but with a much larger number of Firefox users they may make more effort to fix it, hopefully more permanently for once.

Somebody had over 100 programs affected by this Suspicious.Cloud.9 claim and quarantine. https://community.norton.com/en/forums/suspiciouscloud9-over-100-false-positives-morning

Modified by James

more options

Chosen Solution

I've experienced this error condition for several of the recent updates to FireFox (38.0.5 Funnelcake June 2015 Mozilla 39-1.0). My security system is Comcast-supplied Norton Security Suite Ver. 22.5.2.15, on a Win XP installation. Now, when an automatic update to FireFox is announced, I avoid this error by 1) disabling NSS Auto Protect, 2) installing the latest FireFox update, 3) re-enabling NSS Auto Protect. There are no warning messages and the updated FireFox runs unremarkably.