Page 1 of 1
WS.Reputation.1 20/08/2013 at 11:38 #48631 | |
sorabain
72 posts |
Just in case noone is informed of the comments on the brighton download page I had some issues today with Norton Antivirus 2011 putting the download into quarantine for reason "WS.Reputation.1". It looks like more than one other user has hit similar problems but couldn't find it mentioned on the forum. Judging from http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarification-on-WS-Reputation-1-detection/td-p/232155 "WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories." I've submitted a false-positive report to https://submit.symantec.com/false_positive/ but might be more likely to be effective if the writer did the same, so they could say it's their own software and give more details on how it was built and otherwise deal with any queries from symantec if necessary. At one point in the report they ask for a copy/paste of the "File Insight" WS.Reputation.1 report. Here's a C&P of mine if you don't have access to this particular AV software yourself: --- snip Full Path: c:\users\sorabain\downloads\brighton1_2b3a (1).exe ____________________________ ____________________________ On computers as of: 20/08/2013 at 12:17:34 Last Used: 20/08/2013 at 12:19:34 Startup Item: No Launched: No ____________________________ ____________________________ Few Users Fewer than 100 users in the Norton Community have used this file. ____________________________ Medium This file risk is medium. ____________________________ Threat Details Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe ____________________________ Origin Downloaded from http://www.SimSig.co.uk/index.php?option=com_remository&Itemid=254&func=download&id=585&chk=6d1c220f8a902c5860d5cd8a0faa858d&no_html=1 http://www.SimSig.co.uk/index.php?option=com_remository&Itemid=254&func=download&id=585&chk=6d1c220f8a902c5860d5cd8a0faa858d&no_html=1 Downloaded File "brighton1_2b3a (1).exe" (WS.Reputation.1) from: SimSig.co.uk brighton1_2b3a (1).exe ____________________________ File Actions File: c:\users\sorabain\downloads\brighton1_2b3a (1).exe Removed ____________________________ File Thumbprint - SHA: fb91e1f574881bc6993d27b6765c1a1f2aba04d98022682c2c6398c1707f9854 ____________________________ File Thumbprint - MD5: 870a4b83ae4db3ad27d44c6f23a81332 ____________________________ --- snip Log in to reply |
WS.Reputation.1 20/08/2013 at 14:04 #48642 | |
sorabain
72 posts |
got an unexpectedly quick response from Symantec: --- In relation to submission [3290807]. Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products. The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape. If you are a software vendor, why not take part in our whitelisting program? To participate in this program, please complete the following form: https://submit.symantec.com/whitelist Sincerely, Symantec Security Response http://securityresponse.symantec.com Log in to reply |
WS.Reputation.1 20/08/2013 at 14:04 #48643 | |
alvinhochun
249 posts |
Previously someone updated and recompiled a company-specific program, and then on client's machines they get WS.Reputation from their Norton Antivirus and the program is blocked until whitelisted, which is, well, pretty stupid. I had a small Google search, it seems that Norton is marking files that is "not well-known to Norton's database" as "dangerous" (or equivalent) and treat them the same way as virus. I personally think that this is really stupid and my recommendation is to not use Norton Antivirus. Actually to me, Norton always had a bad reputation. Seriously, I think Microsoft Security Essentials (or Windows Defender on Windows 8) is already enough as an antivirus. If you want to pay for antivirus, I really wouldn't recommend Norton. Log in to reply |
WS.Reputation.1 20/08/2013 at 14:08 #48645 | |
sorabain
72 posts |
I agree that finding antivirus software often feels like finding the "least worst" option that doesn't ruin your workflow. In this case I think it's good that there's some diversity amongst the users of SimSig so that technical people can detect and hopefully resolve these problems that might afflict innocent users. Log in to reply |
WS.Reputation.1 20/08/2013 at 14:39 #48650 | |
GeoffM
6377 posts |
Thanks for this and the replies. To address a couple of Norton's points: "There are many indications that this file is untrustworthy" (Addressing Norton here, not the OP) It would be useful to know what those indications are. Is it the fact it was downloaded off the Internet? An exe and not "hidden" in a zip? Or is it more sophisticated and starts searching within the code - eg for outbound sockets? " If you are a software vendor, why not take part in our whitelisting program?" Theoretically that could mean submitting each program I release to half a dozen or more AVs - probably much more. Obviously one needs a good antivirus but one which overreacts is almost as worthless as not having one at all. AVG was starting to get that way, screaming that my system was in imminent danger of nasty things happening because I hadn't got the latest and greatest Flash player within hours of it being released. Probably a poor example as Flash is supposedly rather holey. (Incidentally I did try uninstalling but it seems too many websites still use it). SimSig Boss Log in to reply |