As per the title I get this thrown up in MS defender every time a back starts:
Detected: HackTool:Win32/ProductKey
file: Device\HarddiskVolumeShadowCopy7\AppsPortable\Opera\profile\data\Default\Cache\Cache_Data\f_00020a
- It’s a Windows 11 PC.
- I downloaded Nirsoft’s Product Key utility which shows as a false positive.
- I had it in a folder which is excluded from Urbackup.
- However it appears that it was also cached when downloading in Opera Browser.
- The cache has been cleared and cache file “f_00020a” shown in the message above no longer exists, and hasn’t for a month now.
It appears that every time Urbackup makes a shadow copy, the problem occurs. I have been unable to stop this:
- I’ve listed all volume shadow copies in powershell and the one listed doesn’t exist.
- I’ve removed all shadow copies from the volume.
- The Shadowcopy number (7 in the example above) changes each time the backup is running and anti-virus reports it.
- Where is this “f_00020a” file living? It’s not on the drive anymore and I’ve cleared all shadow copies. However Urbackup clearly makes it’s own copy temporally but I don’t know why it’s showing a filing that doesn’t exist.