404 Tech Support

Symantec Endpoint Protection giving Trojan.Webkit!html false positive

Symantec Endpoint Protection is flagging files called sh165.htm from people’s Temporary Internet Files as a Trojan.Webkit!html. My Symantec Endpoint Protection Manager is currently reporting hundreds of the detections around the organization.

The file is found at the multiple paths depending on the browser used. The file detected as a Trojan webkit might also be named sh165[1].htm, sh165[2].htm, and so on.

Internet Explorer: c:users[username]AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE[hash]sh165.htm. 

Mozilla Firefox: C:Users[username]AppDataLocalMozillaFirefoxProfiles[profile].defaultCache1BBFF063d01

Google Chrome: C:Users[username]AppDataLocalGoogleChromeUser DataDefaultCachef_010726

This false positive picking up a temporary internet file is very low key compared to detecting a critical system file. Symantec​ is aware of the issue and is deploying rapid release definitions to correct the problem. Their write-up of the issue recommends using the Rapid Release definitions but also mentions backdating your definitions to a set prior to July 23 2014 revision 22. Their thread will be updated when the next Certified definitions are released and correct the false detection. You can also monitor the definitions version page to see the fix.

The Rapid Release definitions are currently available from Symantec’s FTP site. The Rapid Release definitions can be applied to a SEP client or SEPM.

Please be aware that the definitions currently available for Symantec Endpoint Protection contain a False Positive (FP).  Treat as a “known issue” any detections of Trojan.Webkit!html for the file with the following unique hash:

  • MD5 75bd3d5707ab06ac4b53eefc41ab729f
  • SHA256 5bcd9a716ba1564bf21bf3fa6f55133f076f53b2b17c0177fa5a78dc2bc5c2aa

This legitimate file is often named sh165[1].htmsh165.html or similar.  Some iFrames are malicious and are rightly detected by SEP, but this particular one is in fact harmless and is not a cause for security concern.

Symantec is currently preparing Rapid Release definitions which will remove this detection.  It is also possible to configure a SEP organization to use older definitions to avoid the detection (any set before July 23 2014 revision 22 will do), but rolling out new Rapid Release definitions is the recommended approach.

How to Backdate Virus Definitions in Symantec Endpoint Protection Manager
Article URL http://www.symantec.com/docs/TECH102935

The next release of Certified definitions, available via LiveUpdate, will also include the fix.

There is no need to open a Technical Support case about these detections.  Just subscribe to this thread- it will be updated as soon as Rapid Release definitions and then Certified defintiions are available which remove this detection.

With thanks and best regards,

Mick