Endpoint Protection

Please be aware that the definitions currently available for Symantec Endpoint Protection contain a False Positive (FP).  Treat as a "known issue" any detections of Trojan.Webkit!html for the file with the following unique hash:

• MD5 75bd3d5707ab06ac4b53eefc41ab729f
• SHA256 5bcd9a716ba1564bf21bf3fa6f55133f076f53b2b17c0177fa5a78dc2bc5c2aa

This legitimate file is often named sh165[1].htm, sh165.html or similar.  Some iFrames are malicious and are rightly detected by SEP, but this particular one is in fact harmless and is not a cause for security concern.

Symantec is currently preparing Rapid Release definitions which will remove this detection.  It is also possible to configure a SEP organization to use older definitions to avoid the detection (any set before July 23 2014 revision 22 will do), but rolling out new Rapid Release definitions is the recommended approach.

How to Backdate Virus Definitions in Symantec Endpoint Protection Manager
Article URL http://www.symantec.com/docs/TECH102935

The next release of Certified definitions, available via LiveUpdate, will also include the fix.

There is no need to open a Technical Support case about these detections.  Just subscribe to this thread- it will be updated as soon as Rapid Release definitions and then Certified defintiions are available which remove this detection.

With thanks and best regards,

Mick

 

 

AFAIK, SEP 12.1 clients do not locally store few old content revisions for a painless roll back like it was in SEP 11.0, hence backdating the definitions may cause clients to get the old full.zip and then high network traffic, am I wrong?

Good news- Rapid Release definitions which remove this detection are now available.  Sequence 156068 (version 07/24/2014 revision 9) or higher will correct this FP.

This article will help to deploy this protection throughout the organization:

How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article URL http://www.symantec.com/docs/TECH102607

Or the RR defs can be applied to a single client:

How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article URL http://www.symantec.com/docs/TECH104979

I will upate this thread again when the Certified defintiions (available via LiveUpdate) are released.

Many thanks!

Mick

 

Hi Beppe,

You are correct, as far as I understand.  I really am hesitant to ever recommend backdating definitions, and not just for any subsequent increase in traffic.  As each set of new definitions includes protection against new threats, reverting to an older revision will always introduce security risk into an organization.

All the best,

Mick

Great information.  Please let us know about the Certified Definitions.

Should we release it from quarantine, or just delete it?

Hi Team,

Please let me know that this rapid release definition is applicable the systems running Symantec Cloud.

Thank you

 

 

What exactly is the legitimate file for that Symantec detected as a threat?

When can we expect v9 to be available on the Rapid Release page?  Currently it is v5.

Thanks for keeping us up to date on this.

The v9 file is on the FTP site.  The HTTP page hasn't been updated as of yet.

 

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/vd41f009.jdb

Thank you for the link.  I am downloading it now.

 

This wasn't listed in the Whatsnew.txt on the FTP site. Are you sure REV 9 Rapid Release fixes the issue?

so Certified def (Live Update) update will resoved the issue once its available on all clients? hopefully it will available by EOB

Thank you so much for the alert on this.  Can we get an ETA on certified defs?

 

PS doesn't Symantec push out updated proactive threat defs or "IRON Whitelist" defs to address a false positive like this?

I'm just going to wait for the certified. Any ETA on those being published?

Mick,

 

I have deployed an update using a jdb file.  If I remember correctly, I ended up saturating links because clients had to pull down the full definition instead of the delta.  Would this still be a problem?  

 

Bob

Rapid release is all fine and lovely, but LUA's do not accept these.  When will the standard definition release include this update? 

Thanks for the queries, all - certified definitions for SEP are typically released three times per day during the week.  Here is an article with more details:

Virus Definition Update FAQ
http://www.symantec.com/docs/TECH103326 
 

It is likely to be several hour until the next certified release for SEP - no exact ETA is available.

It is equally safe to either release or delete the quarantined file in this instance- it is just a small temp .htm file that was downloaded from a website.  Visiting that website again will deliver a new file.  With the RR defs in place, it won't be detected. Sequence 156068 (version 07/24/2014 revision 9) or higher will definitely correct this FP.

Hope this helps!

Mick

 

 

Thanks!

When I run LiveUpdate I'm still getting the 7/23 r25 definitions. 

 

When I go the http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep  All the files say they were created yesterday... Where do I get the updated definitions?

 

Geoff 

Where can I find the hash of the file that was detected as Trojan.Webkit!html?

 

I also got notification of Trojan.Webkit!html for filename f_001751 found in C:\Users\david.patterson\AppData\Local\Google\Chrome\User Data\Default\Cache\.  Might that be related?  I don't see in logs that this detection was submitted to Symantec for some reason, nor do I find any mention of this file in the forums.

If you go to the manager and run the risks report, it'll be in the log you export.

FP issue appeared this AM. Thanks for the info.

Here is an article on that subject:

 

How to determine the unique hash of a file detected by Symantec Endpoint Protection
http://www.symantec.com/docs/TECH211522 
 

I applied the file vd41ee19.jdb file to one of my servers and it didn't change the definition revisions.  As I stated in teh previous post, this showed as being created yesterday.  Where can I get the updated one that's actually fixed?

 

I got vd41ee19.jdb from http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep.  I got that site from teh instructions posted on how to update manually.

 

The FTP link someone posted isn't working for me.

 

Hi Geoff,

LiveUpdate delivers certified definitions.  Wait a couple hours for the new certified definitions to contain this fix.  In the meantime, you can download the RR defs from the link above.

Hope this helps!

Mick

 

Yup.  I jsut realized what I was doing and came back to post that.

 

For anyone else, the RR defs are here: 

 

http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=rr

 

Bob/Anyone

Has your concern been addressed?  i have downloaded the files but an hesitant to implement based on the size of my implementation.

 

Phil

What about Firefox and Chrome? After running a full scan on my own computer I received a similar detection under the Mozilla folder for my user profile AppData\Local\Mozilla\Firefox\Profiles\bs9ugfd7.default\Cache\1\BB\FF063d01 Risk Trojan.Webkit!html 

i don´t see that update definitions, i found 07/23/2014.

i did try with SEPM and says there is not updates..

 

thanks

Hi Beppe,

As per my tests in regards to this topic, SEPM can generate deltas for rollback definitions, the same way it does delta for newer revisions.

However, if local client's definition is corrupted, client may indeed ask for Full.zip, but this would happen even if the next definition received by client is a newer one (and not a rollback definition).

subscribing to this thread..

IE users have sh165[1].htm, but what about Chrome, Firefox users ? On Chrome I have detection that file "f_00e91d" is infected with Trojan.Webkit!html ... Best regards and thanks for all of this information, Keli

I did not see an answer to this, but I downloaded the JDB and imported it into my SEPM and clients pulled down delta defs without issue.  Most were only 1MB or so since 80% of my users had already pulled the 7/23 defs.

In light of this event I am curious regarding the logic of SEP in sending administrative notifications. At my organization there have been over 300 risk events for this false positive, determined by running a risk query. However we only received 10 single risk event notifications. I did receive two CRITICAL: NETWORK VIRUS DETECTED alerts with a rolled up count of 97 systems.

I am wondering why I did not have more single risk event emails triggered? Some systems are generating a notification, but if everything else is the same (source, action, virus name), why are the majority not?

Thank you, CJ

CJL2, same deal with my company. Many, many users received the desktop pop-up alerting them to the false trojan, but only a handful of them generated single risk notification emails to our admin. What's up with that?

Same with my company, we have a SIEM solution which receives syslog from SEPM, normally I'm not real concerned about "blocked malware" events, however I need a way to page our on call when we see a large number of events coming in from a large number of systems in other words something that would indicate a widespread problem or virus out break.

Same here,

 

Please keep us posted.

Same here as well. Do we have an ETA at this time closing in on 4:00pm eastern?

Thanks

 

 

Yes, could someone from Symantec please tell us why we are not receiving a notification email for EACH of the systems this was detected on?  I have seen this in the past where a user will call to tell us a notification popped up on their system but we never see a notification email.  

Thanks!

9 hours since this post was created and still no certified updates to fix this!  Not happy!

I have edited the policy to specifiy an older definition so hopefully that should stop more notifications as other machines are turned on this morning (now 7am here).

Also, the same issue with notifications here.  the first I knew was some users sending me screen shots of the pop up window they saw.  That's the not the way to stay on top of a potential virus outbreak.

Will be making strong recommendations (again) to my employer that we change AV platform!

Nathan

Certified Definitions 7/24/2014 rev. 17 are replicating up to LiveUpdate servers now- these also contain the correction.  These may take some time to replicate to all servers worldwide.

Many thanks, all!

Mick

I can confirm that "Certified Definitions 7/24/2014 rev. 17" no longer detects the false positive.

Hi,

 

I would recommend you to check your notification configuration, and more specifically Damper value, which is likely the parameter that makes you don't receive notification email for each single infection:

The damper period specifies the time that must pass before the notification condition is checked for new data. When a notification condition has a damper period, the notification is only issued on the first occurrence of the trigger condition within that period. For example, suppose a large-scale virus attack occurs, and that there is a notification condition configured to send an email whenever viruses infect five computers on the network. If you set a one hour damper period for that notification condition, the server sends only one notification email each hour during the attack.

Source: http://www.symantec.com/docs/HOWTO55051

 

NOTE - If Damper is set to Auto, it actually means 1 hour (http://www.symantec.com/docs/TECH96877)

 

Hope this helps.

 

Hi Keli,

 

For Chrome and Firefox, names will be random (due to the way these browsers manage their cache). As far as I saw, format would be similar to the following:

   - Chrome => C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_XXXXXX

   - Firefox => C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\XXXXXXXX.default\Cache\X\XX\XXXXXXXX

 

Good Morning,

Any update on this?

Hi Derp,

The issue was resolved yesterday evening, per the post above.  Just run LiveUpdate for the latest certified definitions.  &: )

All the best,

Mick

 

Thanks for the follow up Mick!

Much appreciated.

Mick2009

Per some of the threads above, can you comment on the inconsistancy with how the SEPM initiated administrative notifications. I received 14 Single Risk Event notifications for 306 events. I have to explain this to my IT Director because it did not go unnoticed.

CJ

Hi CJ,

 

Did you have a look at my comment above?

 

"I would recommend you to check your notification configuration, and more specifically Damper value, which is likely the parameter that makes you don't receive notification email for each single infection:

The damper period specifies the time that must pass before the notification condition is checked for new data. When a notification condition has a damper period, the notification is only issued on the first occurrence of the trigger condition within that period. For example, suppose a large-scale virus attack occurs, and that there is a notification condition configured to send an email whenever viruses infect five computers on the network. If you set a one hour damper period for that notification condition, the server sends only one notification email each hour during the attack.

Source: http://www.symantec.com/docs/HOWTO55051"

 

Many thanks, CJ!

Definitely ensure that you are running the latest relesase of SEP and SEPM, too- there were some known issues with notifications that have now been corrected.

All the best,

Mick

Mick - We have recieved rev 35 this morning. Do you confirm that it has fix for FP?

Thanks,

Nav

Hi @Nav,

As listed above- this is absolutely fixed with the definitions mentioned.  Any set of defs higher than 7/24/2014 rev. 17 contain the fix.  These are now available by running LiveUpdate.

All the best,

Mick

thanks John for information. best regards, Keli

I do not concur with respect to being absolutely fixed. As of 9:03AM PST, running defs: 07/28/2014 r3 - received:

At least one security risk found:
Risk name: Trojan.Webkit!html

So - if what you say is true, I have a real issue on hand - or not?

 

.-=rww=-.

 

I do not agree as well that the problem is resolved.   I am the SEPM admin and we have had 17 machines receive this risk in the last 24 hours.   Our AV Def our updated every four hours.

So  - what does this mean, do i have a problem or not?

 

This was corrected so you need to follow up and this is likely not a false positive. I can confirm the issue has been corrected in my environment.

This was corrected so you need to follow up and this is likely not a false positive. I can confirm the issue has been corrected in my environment.

Hi .-=rww=-. and PCLAB,

Like .Brian said... yours are likely legitimate detections of Trojan.Webkit!html.  This False Positive was for one file-

• SHA256 5bcd9a716ba1564bf21bf3fa6f55133f076f53b2b17c0177fa5a78dc2bc5c2aa

It was not a removal of the Trojan.Webkit!html detection as a whole.

I recommend checking what hash was detected in your instances.

How to determine the unique hash of a file detected by Symantec Endpoint Protection
http://www.symantec.com/docs/TECH211522

More information is in the thread above.

All the best,

Mick

We received a critical network virus detected message this moring.  However, the date the risk was detected is from the 24th.  Can anyone tell me why we did not get this notification last Thursday?

Thanks!

Did the machine just come back on the network after being  off for awhile?

No, these are desktops that have been on the network.

SEPM ver and type of DB?

Server 2008 R2 Enterprise

Symantec EPP 12.1.4023.4080

SQL Server 2005 SP4 RTM