Endpoint Protection

I know that this is not a forum for post problems with risks, But since today in the morning several of my SEP clients have presented infections alerts with a Bloodhound.Flash.6 risk when they enter to Twitter, and the file "infected" is located in

C:\Documents and Settings\ctovar\Local Settings\Temporary Internet Files\Content.IE5\LJ8U8X9T\PhotoHelper[1].swf

Apparently this problem only occurs with SEP 11.x and 12.1, that why I'm using this forum.

Does anyone know anything about it?

It's a heuristic detection used by SEP to detect threats. Perhaps they are clicking on malicious links within twitter and SEP is blocking this type of infection attempt.

This a very similar one:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-050208-1645-99

You came to the right place.

Any threat labelled as Bloodhound is detected using the heuristic scanning engine by Symantec.

Details of the threat can be found here:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-050208-1645-99

It explains that it could be a variant of Bloodhound.Oleswf whcih can be found here:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-040110-3607-99

If you could submit the sample, you might get a better solution. You may also have set the Bloodhound level to high. Does all Twitter users experience this or is it limited to a few who could be following users that post infected Flash objects/hyperlinks?

Today i have received 22 Quarantined alerts all relating to PhotoHelper[1].swf .

Well, I think that this is something diferent to the information you give me.

I think this is new (today or yesterday maybe), and in twitter are more users with te same problem

When users enter to Twitter, a pop-up displays a message that says something like "Share an image on Twitter", after that the warning of the risk is displayed in SEP clients.

I got one today, Apprently after I click "okay" in the Twitter's new application when you log in - about photo that can be taken direclty from your webcam and upload to Twitter.  Now it keeps prompting "PhotoHelper[1][1]" detected by Bloodhound.

This is happening to me as well.. But not in SEP.. its occurring in Symantec Antivirus 10..

We have the same problem as well, Symantec version 10.1.6.6000

Source URL for me was http://twitter.com/phoenix/flash/PhotoHelper.swf for all infected machines.

Defs 09 August r37 do not flag this as malware so looks like a false positive.

The definitions currently available have been updated to remove a FP with Bloodhound.Flash.6.

Please ensure that all SEP and SAV clients have the latest definitions!

Thanks and best regards,

Mick
 

What definition rev. number and later fix the FP? 

Hi Mick,

Was it really a false positive? Because Symantec yesterday published it as a trojan (low).

http://www.symantec.com/security_response/writeup.jsp?docid=2011-081008-1315-99

Hi Iug & all,

Bloodhound.Flash.6 is a valid new detection.  It will stop threats which exploit vulnerabilities in Flash.

Rapid Release definitions version 20110808 rev.040 (Sequence: 125876) or above will fix the False Positive that was identified with this new Bloodhound.Flash.6. 

Please definitely do update to the latest available definitions, and contact Symantec if your product is detecting a .swf file that you believe to be safe.

Thanks again,

Mick

Tried logging on to Twitter. SEP defs are at 09-Aug-2011r37. No alerts.

http://www.youtube.com/?gl=GB&hl=en-GB now flags up bloodhound.flash.7 - another false positive almost certainly!

Many thanks for the continued feedback. Please do use the following portal for non-emergency false positives: https://submit.symantec.com/false_positive

The following article has additional details:

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe
Article: TECH98360
Article URL http://www.symantec.com/docs/TECH98360

Thanks again!

Mick