Endpoint Protection

Hi guys,

On the moment i have 10's of infections on my LAN, SEP detects this virus and deletes it.
I would like to know how i can track the source of this infection is there a way with SEPM?

Risk name:    Trojan.Webkit!html
Risk severity:    1
Discovered:    10/09/2007 00:00:00
Download site:    N/A
Downloaded or created by:    iexplore.exe
File or path:    AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BXU8XQOK\sh165[1].htm  
Application:    sh165[1].htm
Version:    
File size:    70263
Category set:    Malware
Category type:    Virus
Hash:    5BCD9A716BA1564BF21BF3FA6F55133F076F53B2B17C0177FA5A78DC2BC5C2AA
Hash algorithm:    SHA-256
Company:    N/A

Risk Detection
Date found:    07/24/2014 10:28:08
Description:    
Actual action:    Deleted
Specified primary action:    Delete or remove
Specified secondary action:    Quarantine
Detection source:    Auto-Protect
Risk detection method:    Signature-based Detection
URL tracking:    On
Source computer:    
Event type:    Virus found
Database insert date:    07/24/2014 10:29:45
Event client date:    07/24/2014 10:28:08
Permitted application reason:    Not on the permitted application list

Risk Reputation
First seen:    Reputation was not used in this detection.
Reputation:    Reputation was not used in this detection.
Prevalence:    Reputation was not used in this detection.
Performance impact:    High
Overall rating:    High
Detection reason:    Antivirus engine
Minimum sensitivity level:    N/A

Thanks! LEVD

I've also just created a post about this but it hasn't appeared yet - fairly sure it's a false-positive.

https://www.virustotal.com/en/file/5bcd9a716ba1564bf21bf3fa6f55133f076f53b2b17c0177fa5a78dc2bc5c2aa/analysis/

It's related to "AddThis utility frame" / www.addthis.com - they provide 'buttons' for other websites to use so anyone that happens to use them is getting flagged as a virus.

Hi levd,

Many thanks for the post.  You may rest at ease- this has been confirmed to be a False Positive.  We are currently reversing the change which added detection for that file (SHA-256 5BCD9A716BA1564BF21BF3FA6F55133F076F53B2B17C0177FA5A78DC2BC5C2AA).

I will update this thread when the rapid release definitions are available.

With thanks and best regards,

Mick

we are investigating the same issue on 20 clients

Hash - 5BCD9A716BA1564BF21BF3FA6F55133F076F53B2B17C0177FA5A78DC2BC5C2AA

are there any things we can do?

Same issue here lo of client reporting Trojan.Webkit!html on file named sh165[1].htm

How could we resolve?

How to force virus definition update to take the effect of rapid definition?

Regards

Hi yck23,

At the moment, treat it as a known issue / not an actual outbreak.  Defintiions which do not detect this file are expected to be available by Rapid Release shortly.  When those are available, I recommend deploying them.

All the best,

Mick

Same here, all windows 7 clients reporting this one.

thanks Mick

Hi guy

Go on your Manager.

Then Policies > LiveUpdate > LiveUpdate Content tab > Richt clic on your policy and then Edit

select then the definitions you want to change, and select the version you want

Hi Mick,

is there an "official page" for this issue with all the information ? Or everythings are in this topic ?

Thanks

We are also having the same issue. Over 100 machines have detected and deleted  this file since early this morning. It initially caused a bit of concern, was releved to find it is a false positive.

Keeping an eye on this post for updates.

Same issue here, when can we expect the fix for this false positive? 

When is this rapid release coming out?

We also had the same issue on our corporate network.

Thank you to the symantec employee who posted to let us know it was a false positive. Phhheewww. A sense of panic had struck in. 

Any news if there be an official annoucement, it would be good to see this as I am guessing a number of companies have had this issue......

Thanks

Good idea to stop the false positive. But how can I find which update I have to revert to? Or, how can I relate SHA-256 5BCD9A716BA1564BF21BF3FA6F55133F076F53B2B17C0177FA5A78DC2BC5C2AA to the revision number?

Same issue here, waiting for the update.

We are having the same outbreak at our company.  I've had at least 10 of these already report this morning.

Same issue here at our site as well.

Check this

https://www-secure.symantec.com/connect/forums/please-be-informed-current-trojanwebkithtml-false-positive

Same issue here 20 in the last 2 hours, thanks to Mick2009 for easing the panic that had set in :-)

Looking forward to the new def release, so my users stop pestering me.

We also have the same issue,affected more than 350 systems.

Any way to track the URl from this is affected ?

Cheers to Sumit G for spreading the word about this before I had the chance &: )

I will update this thread as well when the new defs correctign this are available, but the following in intended to be the main thread on the topic:
 

Please be Informed: Current Trojan.Webkit!html False Positive
https://www-secure.symantec.com/connect/forums/please-be-informed-current-trojanwebkithtml-false-positive

What about Chrome and Firefox? There's no Hash available for these two browsers?

Biganvil-It's not a silly idea..It's a brillinat idea.Hope Symantec will include more useful utilities in Version RU5.
 

I have a silly idea - at least for the SEPM console, why not include a field in the Symantec Security Response area where the support team can send info on things like this as part of an update stream?  That way, when we log into the console to check this stuff the support team could push a message stating something like "Notice: Support is working to resolve false-positive xxxx, please see website for details".  If you can push updates about ThreatCon levels, you could push alerts like this.

I'm guessing the first thing us admins do when we get client alerts is check the management console to see what's going on as part of the bigger picture, so why not help keep all of us more calm and updated, and save yourselves more forum posts about the same topic?

I realize this will probably never happen but would be incredibly useful.

Bump:  We are also noticing the false positive throughout our enterprise.

     Thanks Mick2009 for the confirmation! 

Good news- Rapid Release definitions which remove this detection are now available.  Sequence 156068 (version 07/24/2014 revision 9) or higher will correct this FP.

This article will help to deploy this protection throughout the organization:

How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article URL http://www.symantec.com/docs/TECH102607

Or the RR defs can be applied to a single client:

How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article URL http://www.symantec.com/docs/TECH104979

I will upate this thread again when the Certified defintiions (available via LiveUpdate) are released.

Many thanks!

Mick

Glad to see this was false positive this morning - thanks for the update.
 

Is there an estimated time frame when these defs be rolled into Certified definitions?

Thank you.

-rickd

Same here multiple hits on the same "false positive".  On a hosted endpoint point setup, should I push a live update out to the clients? Or is there a way to push out the Rapid Release to those machines?

Anyone manage to capture a copy or extract the contents of this false-positive .htm file?  I'm curious as to the code within...

I am hesitent to change the security settings on the SEP quarantine folder to force access; don't want to risk causing future issues with SEP being able to properly quarantine files...

We are experencing the same issue. In two hours it detect 50 clients on our network.  Please give us an update when possible.

We had around 150 detections on our corporate network as well. I submitted a sample to security response. So far I've seen detections in IE, Chrome, and Firefox.

Same thing here on our network.  Thank goodness only 10 users so far.

fantastic idea.

We have 38 machines (so far) with this alert.  Happy to see a false-positive.

@BigAnvil, you idea is similar to mine i posted several months ago, we need to vote for this idea.

https://www-secure.symantec.com/connect/ideas/display-information-about-latest-version-sepm

Great except version 07/24/2014 revision 9 of the defs are not available yet. YAY!!!   This has created a lot of wasted time explaining to people that this is a false positive, in addition its causing loss of productivity.  140 clients so far.  You posted this 6 hours ago, do you not check to see if what you recommending is available yet?  Liveupdate is not updating yet either.

Wow, that would be awesome.  They could port and RSS feed, how easy would that be?  Never going to happen lol.

I can second this statement.  please update the liveupdate files.

Now its 141 clients and counting.

Certified Definitions 7/24/2014 rev. 17 are replicating up to LiveUpdate servers now- these also contain the correction.  These may take some time to replicate to all servers worldwide.

Many thanks, all!

Mick

We've had 150 calls and over 700 system flagged in SEPM with this virus. Can we confirm that the 7/24/2014 r17 def file will fix this false-positive?

many thanks Mick!!  keep up the good work.

cheers.

-mark

Hi Levd,

Many thansk once again for your post on the subject- ir proved very helpful o a lot of people yesterday.  Just wondering if there is anything still needed or if the question has now been answered?  The forum post is still marked "needs solution."

All the best,

Mick

PS: I gave https://www-secure.symantec.com/connect/ideas/display-information-about-latest-version-sepm a thumbs up! &: )

Hi Mick,

Thanks! Marked as solved!

levd