Difficult to investigate AV flagging infections from within cache2\entries\
Hi all,
Seeing a few files getting flagged by AV from within the \appdata\...\cache2\entries\ location, trouble is cannot investigate further / quarantine / whitelist, because of the nature of the cached files, rendered as a series of letters/numbers, without extension... they also appear to be auto-deleted before it's possible for AV to interrogate further.
Presuming chances are these are false-positive flags, but would be good to be able to verify this one way or another.
Similar files seem to exist for Firefox users generally, but vast majority are not currently flagged.
Any thoughts/ideas/similar experiences appreciated...
All Replies (3)
I should probably add: cache clearing, reset, clean, re-install of Firefox and manual deletion of folders, does not necessarily help resolve this - flags can still return after reinstall.
Currently 'best solution' seems to be cache set to clear on browser closing, but wondering if more effective solution possible to avoid this as an ongoing issue, where the usual AV investigation not possible.
What AV software do you have?
That is likely a false positive as this is a file in the Firefox disk cache folder, see:
Hi cor-el,
Thanks for your reply - Yeah this does seem to be most likely, we're using Heimdal and I'm in touch with them about it, but the difficulty is there doesn't appear to be an easy way to confirm one way or another, and so repeat alerts create noise in terms of AV flagging, and potential difficulties for users where auto AV protections kick in on flagging - For example, some user restrictions can be triggered by AV flags.
Ordinarily AV analysis might allow interrogation of the flagged file, but in this case there seems to be no way to achieve this... unclear if there's currently a way round this, but thought I'd ask as could become a more common issue with heuristic ID'ing of potential threats.