• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos2

Clarification on WS.Reputation.1 detection

There have been several recent posts about the WS.Reputation.1 detection.  In order to clear things up, we thought it was important to explain this detection and provide more information about how you should deal with it.  First off, we have published a write-up on our Security Response site.  Please see the information here - http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2010-051308-1854-99.  The text reads:

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories. 

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

Now, like any security technology, there is a small chance that we have made a mistake on a file.  We are constantly tuning the reputation system to avoid these problems, but they do occur on occasion.  If you believe a file has been mistakenly detected by WS.Reputation.1, you can submit a dispute at https://submit.symantec.com/dispute/.  This page is monitored 24 hours a day so that we can immediately begin to research and correct any issue. 

Restoring a file from Quarantine

If you are confident that you are experiencing a false positive and cannot wait for the dispute process, the product allows you to manually remove items from quarantine.  To do so, open the main window and click on the “Quarantine” link as shown:

From the quarantine window, select the file that you wish to restore and click on the “options” button under the recommended action.


From the threat detection window, select the “Restore this file option” to restore your file. 

For Developers:

When our reputation technology encounters a brand-new file (including items that you may create on your own)  it relies on a number of factors to determine reputation. We use all of these factors to ensure we can provide the maximum protection for users while preventing false positives. "Newness" is only one factor we use.  However, developers may experience a higher FP rate than typical users.  Abro has posted some workarounds for developers that can minimize issues when working with hand-crafted executables.  You can find these recommendations here:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Again-Repuation-1-detections-for-every-unknown-to-Norton-exe/m-p/228749#M1353

Software developers who want to accelerate the reputation building process for their new software applications should submit new applications to the Symantec white-listing program. Details of that program can be found here

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation