ClamTK Finds Malware from Firefox and Privacy Badger

Recently, I ran ClamTK on my Home directory and it discovered about 30 instances of malware that came from Firefox with Privacy Badger add-on. Interestingly, no malware came from my Brave or Chromium browsers that I also use. Most of the malware found looked like this:

Firefox PUA Win.Trojan.Xored . . .
Firefox PUA Html.exploit.CVE . . .

This is making me no longer trust Firefox and I was wondering what privacy and secure browsers I can use instead of Firefox. On other platforms I used Librewolf but I don’t think it works on Manjaro.

It is hard to comment on that without context. Were were these found? In extensions? In cache? Well those are things that you have control on - visiting malicious sites or downloading bad extensions.
Besides, PUAs can often be false positives.


Logs or it didn’t happen.

They’re most likely false-positives. I don’t suppose you researched before posting?

1 Like

Consider emptying your Firefox caches, and installing UBlock Origin instead of PrivacyBadger. I would question whether ClamTK is presenting too many false positive detections; or whether any such malware as you have labelled it is possibly coming from a Windows installation (if Firefox Sync is used, for example).

ClamAV without some tuning of options and databases throws a lot of false positives.

Wrong (false positive as the other mentioned already), Firefox is still the best browser.

You used the wrong settings and Privacy Badger sucks too.

There are so many changes you can do, to improve the security in Firefox… Ton’s of adjustments in about:config and really good and strong addons.

Cookie AutoDelete
uBlock Origin

Then go in Option> Privacy& Security>
check Delete cookies and site data when Firefox is closed.
check Always use private broswing mode.
uncheck Autofill

1 Like

Of course, ClamTK found problems with Privacy Badger, because Privacy Badger also has to store the malware signatures for its own use.

Any malware detection software that is not obsfucating :melting_face: its store of malware signatures will be detected by another malware detector as malware itself. :wink:

1 Like

Since we are just making recommends…

Not really sure how thats needed.

Ships old libraries, contributes to fingerprinting, doesnt always work, useless for protection against IP snoop, etc.

Redundant with ublock

arkenfox may be a little too much as a whole, but it can function as an ok reference.

Back to the issue here … without providing more information we are still in the same spot as during the initial replies.

1 Like

OK, thanks for the suggestions. I removed Privacy Badger and added Ublock Origin to Firefox. I cleaned the history as usual.

Then, I ran ClamTK again and it found 3 more PUA’s in Firefox cache. I can’t see any way to copy the scan results in ClamTK and I wasn’t able to pinpoint a ClamAV log file. Sorry. Maybe someone can show me how to find the ClamAV log files.

… how is something in Firefox cache supposed to be going to be a malicious … thing?
under Linux

A threat, essentially?


The descriptions of the "PUA"s should tell …

1 Like


I can. :wink:

1 Like

While we are on Privacy, any thoughts about Ghostery?

known bad actor since the 2000’s

I just looked and it seems while it has changed hands over the years … its still a bad actor that serves you ads.

Also, what it would offer is considered redundant since FF 86.
(as noted in the arkenfox link on extensions above, link again)

1 Like

It should also be noted that Firefox is a free, open source browser, which would make embedding malware without any of its millions of users noticing a near-impossible task.

1 Like

Another option which pretty much obviates uBlock is to merge /etc/hosts with the file available at which blocks thousands of known malware domains (as well as advertising servers, trackers, etc) at the DNS level, so they never get anywhere near your computer.
Another useful addition is which blocks everything owned by Zuckerberg’s surveillance operation.
Both files are updated regularly, so it’s worth setting up a systemd timer to re-do the merge from time to time.

1 Like

Good point. The libraries are pretty outdated.

But i dont agree with NoScript and Cookie AutoDelete… it improves the security, but why you think that NoScript is redundant when i use ublock?

I have a fritzbox router and have a long list added there, blocking Microsoft and Facebook servers and other trash.

Thanks for the list.

A hosts file can be quite fiddly to set up with Firefox, which uses its own DNS settings for DNS-over-HTTPS, thus bypassing the system’s DNS settings. I’m sure there are ways to do it (possibly even addons available that will make it easy), but I tried using a hosts file a few years ago & gave up in the end. It was much easier to go down the path of uBlock Origin & a few other addons to improve security. A lot depends on the security level set by the user in Firefox’s preferences.

You can simply disable DNS-over-HTTPS in the settings. I reckon the benefits of using DNS overrides outweigh the disadvantage of disabling it.

IMO conflating Potentailly Unwanted Applications from a browser add-on with “Malware from Firefox” is fallacious hyperbole

Refresh Firefox should clear the PUA files and remove add-ons but retain important user data (bookmarks,history,passwords etc)