Endpoint Protection

Per the subject, I've had about 5 reports this morning from various different sites and companies (that aren't related except for all using SEP12) of a blocked attack. The filename is always sh165[1].htm and in Temporary Internet Files.

I figured it's being served up as an advert as one person that received the notification only had one webpage open (a Radio Player) at the time. The contents of the file don't look particularly dodgy (but what do I know) - but it's related to "AddThis utility frame" / "www.addthis.com"

I've uploaded the file to www.virustotal.com to see if it was getting any other hits but it looks like it's just Symantec at the moment. https://www.virustotal.com/en/file/5bcd9a716ba1564bf21bf3fa6f55133f076f53b2b17c0177fa5a78dc2bc5c2aa/analysis/

Again, I'm not saying this is definitely a false-positive but it could be and if I've got 10 reports of it this morning, I'm sure other people using SEP are getting panicked calls too.

You can follow below thread

https://www-secure.symantec.com/connect/forums/please-be-informed-current-trojanwebkithtml-false-positive

https://www-secure.symantec.com/connect/forums/virus-outbreak-need-some-help

Known issue, will be fixed in next certified def set

https://www-secure.symantec.com/connect/forums/please-be-informed-current-trojanwebkithtml-false-positive

Aye, I posted this before any other threads had popped up but it took forever to appear on the forum. Cheers anyway.

Certified Definitions 7/24/2014 rev. 17 are replicating up to LiveUpdate servers now- these also contain the correction.  These may take some time to replicate to all servers worldwide.

Many thanks, all!

Mick