I have some clients with the same issue as below:
Sophos Endpoint detect files under the folder named cache2/entries of Thunderbird (mail client) as malware, here is one of them:
Almost every day Sophos reports that the files in the cache2/entries folder are malware even though they have been deleted.
Is this incorrect detection? How do get it fixed? Thanks
Thank you for reaching out to the Sophos Community.
From the behavior you’re describing, it sounds like the mail application has cached part of an email that was received previously. The cached information is then being scanned by Sophos and getting picked up as potentially malicious.
Do you know if the detections correspond with any specific navigation/re-loading of old inbox items through the mail client?
I discovered one thing is that when I search or install any extensions/themes on Thunderbird, Sophos Endpoint detects malware. I also try to go to Firefox to search or install extensions/themes, everything is fine. Both products are from Mozilla.
I’m using Thunderbird version 91.2.0 (64-bit). Can you help test it?
Using virustotal.com to scan the file that Sophos Endpoint detects as malware, the result from that site is "No security vendors flagged this file as malicious"
I recommend submitting the detected file through our sample submission portal. You’ll need to include the "detection Id" that comes up when the file is detected as well. The detection ID can be supplied in the "Why do you want to send this sample" field. - support.sophos.com/.../filesubmission