Endpoint Protection

wpfgfx_v0400.dll false positive with SEP 14.2.760 24.07.2018 defs Win8.1 July updates

TROJAN.GEN.NP2 Cleaned by deletion  on 5 computers all with Wndows 8.1 Enterprise

Until now I dont't have allerts from Windows 7 or Windows 10 computers

C:\Windows\WinSxS\x86_netfx4-wpfgfx_b03f5f7f11d50a3a_4.0.9664.17161_none_aadf6268cce74b6f\wpfgfx_v0400.dll   

and

C:\Windows\WinSxS\x86_microsoft-windows-ucrt_31bf3856ad364e35_6.3.9600.18817_none_40af860e34de2c39\ucrtbase.dll

Hi team,

I have got a similar alert for  name: Trojan.Gen.NPE.2,Occurrences: 1,C:\Windows\WinSxS\x86_netfx4-wpfgfx_b03f5f7f11d50a3a_4.0.9664.17161_none_aadf6268cce74b6f\wpfgfx_v0400.dll, on Windows Server 2012,.

Can you confirm on the same?

Thanks and Regards.

kanakaraj.

We have also seen the same detection this morning shortly after applying Microsoft patches from this month.

Hi cly73ro,

Thanks for the post.  Can you add the hashes of the files detected-?  Files can be named just about anything but the hash is a unique, distinct identifier.  

This article has details on how to submit suspected False Positives to Security Response:

Submit false positives detected by Endpoint Protection
http://www.symantec.com/docs/TECH98360

We are also seeing this issue shortly after MS Patching with the July Patch Tuesday release and subsequent revisions.

File hashes we saw:
CFD96B9AA93E4FD1923E3D6AA448DB4FE2F29F71B8C22CB961A1D192903195B3 wpfgfx_v0400.dll
and

1FBFD1970DC50C4F5DDD700CDE8DAEE25B3B03EA901E8E550E85C00ACAE973D2 ntoskrnl.exe

I have 18, all Windows 8.1 Pro.  

File: c:\windows\winsxs\x86_netfx4-wpfgfx_b03f5f7f11d50a3a_4.0.9664.17161_none_aadf6268cce74b6f\wpfgfx_v0400.dll

SHA-256: CFD96B9AA93E4FD1923E3D6AA448DB4FE2F29F71B8C22CB9 61A1D192903195B3

Virus total shows only one other company is flagging it.

Cheers, Thermite!

I can confirm that both of those hashes are known False Positives.  You're not infected.

The detection on "wpfgfx_v0400.dll" (MD5 A41C4679A2702937E581C508E58D6CB8 / 
SHA256 CFD96B9AA93E4FD1923E3D6AA448DB4FE2F29F71B8C22CB961A1D192903195B3) has been corrected in Rapid Release sequence 194619.  Those are available now: this article will help to deploy this protection throughout the organization:

Thanks Mick!

Is there anyway Symantec would alert us on things like this in future instead of us having to go out searching?

Being Reported as Trojan.Gen.NPE.2

File: ucrtbase.dll

File: C:\Windows\WinSxS\x86_microsoft-windows-ucrt_31bf3856ad364e35_6.3.9600.18817_none_40af860e34de2c39\

Hash: DA1AFA71DC04E6491AD84DFB914E31611E993CDF281466149DEAA054D6546CAA

Good news- the detection on ntoskrnl.exe (SHA256 1FBFD1970DC50C4F5DDD700CDE8DAEE25B3B03EA901E8E550E85C00ACAE973D2) is removed in Rapid Release sequence 194622 (version 07/25/2018 revision 7), which are available now from ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/

Hi DBH-NetAdmin,

This, as well, is a FP rather than an infection.  Download and apply the .jdb for Rapid Release sequence 194622 (version 07/25/2018 revision 7).  (Full instructions can be found in the thread, above.)  

Good to hear and thanks for the update. I had the same issue this morning.

Same here: 

Risk: Trojan.Gen.NPE.2

File: C:\Windows\WinSxS\x86_netfx4-wpfgfx_b03f5f7f11d50a3a_4.0.9664.17161_none_aadf6268cce74b6f\wpfgfx_v0400.dll

Hash: CFD96B9AA93E4FD1923E3D6AA448DB4FE2F29F71B8C22CB961A1D192903195B3

Had the same issue, wpfgfx_v0400.dll was picked up as Trojan.Gen.NPE.2 on my 2012 servers and put into Quarantine on all boxes. I loaded the .jdb file on the SEM Server, but the file is still in Quarantine on the individual servers....should i 'restore' the file from the local Symantec Client on the servers?

I am sure loads of people are impacted by this. 

I have asked this before with no answer - what is the impact of deleting ntoskrnl.exe from the C:\Windows\WinSxS folder?

And how do you restore it back to it's original location? I am able to restore the file as elevatedf admin but not to it i's original location (Access Denied)