Endpoint Protection

 View Only
Expand all | Collapse all

Please be Informed: Current Trojan.Webkit!html False Positive

Migration User

Migration UserJul 24, 2014 09:28 AM

Migration User

Migration UserJul 24, 2014 10:10 AM

Migration User

Migration UserJul 24, 2014 10:41 AM

Migration User

Migration UserJul 24, 2014 12:22 PM

Migration User

Migration UserJul 24, 2014 02:30 PM

Migration User

Migration UserJul 25, 2014 06:52 AM

Migration User

Migration UserJul 25, 2014 08:50 AM

Migration User

Migration UserJul 25, 2014 11:19 AM

ℬrίαη

ℬrίαηJul 29, 2014 09:53 AM

  • 1.  Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 07:46 AM

    Please be aware that the definitions currently available for Symantec Endpoint Protection contain a False Positive (FP).  Treat as a "known issue" any detections of Trojan.Webkit!html for the file with the following unique hash:

    • MD5 75bd3d5707ab06ac4b53eefc41ab729f
    • SHA256 5bcd9a716ba1564bf21bf3fa6f55133f076f53b2b17c0177fa5a78dc2bc5c2aa

    This legitimate file is often named sh165[1].htm, sh165.html or similar.  Some iFrames are malicious and are rightly detected by SEP, but this particular one is in fact harmless and is not a cause for security concern.

    Symantec is currently preparing Rapid Release definitions which will remove this detection.  It is also possible to configure a SEP organization to use older definitions to avoid the detection (any set before July 23 2014 revision 22 will do), but rolling out new Rapid Release definitions is the recommended approach.

    How to Backdate Virus Definitions in Symantec Endpoint Protection Manager
    Article URL http://www.symantec.com/docs/TECH102935

    The next release of Certified definitions, available via LiveUpdate, will also include the fix.

    There is no need to open a Technical Support case about these detections.  Just subscribe to this thread- it will be updated as soon as Rapid Release definitions and then Certified defintiions are available which remove this detection.

    With thanks and best regards,

    Mick

     

     



  • 2.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 08:36 AM

    AFAIK, SEP 12.1 clients do not locally store few old content revisions for a painless roll back like it was in SEP 11.0, hence backdating the definitions may cause clients to get the old full.zip and then high network traffic, am I wrong?



  • 3.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 08:37 AM

    Good news- Rapid Release definitions which remove this detection are now available.  Sequence 156068 (version 07/24/2014 revision 9) or higher will correct this FP.

    This article will help to deploy this protection throughout the organization:

    How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
    Article URL http://www.symantec.com/docs/TECH102607

    Or the RR defs can be applied to a single client:

    How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
    Article URL http://www.symantec.com/docs/TECH104979

    I will upate this thread again when the Certified defintiions (available via LiveUpdate) are released.

    Many thanks!

    Mick

     



  • 4.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 08:39 AM

    Hi Beppe,

    You are correct, as far as I understand.  I really am hesitant to ever recommend backdating definitions, and not just for any subsequent increase in traffic.  As each set of new definitions includes protection against new threats, reverting to an older revision will always introduce security risk into an organization.

    All the best,

    Mick



  • 5.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 09:05 AM

    Great information.  Please let us know about the Certified Definitions.



  • 6.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 09:09 AM

    Should we release it from quarantine, or just delete it?



  • 7.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 09:15 AM

    Hi Team,

    Please let me know that this rapid release definition is applicable the systems running Symantec Cloud.

    Thank you

     

     



  • 8.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 09:19 AM

    What exactly is the legitimate file for that Symantec detected as a threat?



  • 9.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 09:19 AM

    When can we expect v9 to be available on the Rapid Release page?  Currently it is v5.

    Thanks for keeping us up to date on this.



  • 10.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 09:24 AM

    The v9 file is on the FTP site.  The HTTP page hasn't been updated as of yet.

     

    ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/vd41f009.jdb



  • 11.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 09:28 AM

    Thank you for the link.  I am downloading it now.

     



  • 12.  RE: Please be Informed: Current Trojan.Webkit!html False Positive

    Posted Jul 24, 2014 09:36 AM

    This wasn't listed in the Whatsnew.txt on the FTP site. Are you sure REV 9 Rapid Release fixes the issue?



  • 13.  RE: Please be Informed: Current Trojan.Webkit!html False Positive