Not what you were looking for? Ask our experts!
Reply
Tony_Weiss
Posts: 8,040
Topics: 574
Kudos: 2,048
Solutions: 321
Registered: ‎04-07-2008

Clarification on WS.Reputation.1 detection

[ Edited ]

There have been several recent posts about the WS.Reputation.1 detection.  In order to clear things up, we thought it was important to explain this detection and provide more information about how you should deal with it.  First off, we have published a write-up on our Security Response site.  Please see the information here - http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2010-051308-1854-99.  The text reads:

 

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories. 

 

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

 

Now, like any security technology, there is a small chance that we have made a mistake on a file.  We are constantly tuning the reputation system to avoid these problems, but they do occur on occasion.  If you believe a file has been mistakenly detected by WS.Reputation.1, you can submit a dispute at https://submit.symantec.com/dispute/.  This page is monitored 24 hours a day so that we can immediately begin to research and correct any issue. 

 

Restoring a file from Quarantine

If you are confident that you are experiencing a false positive and cannot wait for the dispute process, the product allows you to manually remove items from quarantine.  To do so, open the main window and click on the “Quarantine” link as shown:

 

 

5670iBF71E882C87AA3BD

 

From the quarantine window, select the file that you wish to restore and click on the “options” button under the recommended action.

 

5671i838E8DA3103FAF5B


From the threat detection window, select the “Restore this file option” to restore your file. 

 

5672iB193B87C206FF2FF

 

 

For Developers:

When our reputation technology encounters a brand-new file (including items that you may create on your own)  it relies on a number of factors to determine reputation. We use all of these factors to ensure we can provide the maximum protection for users while preventing false positives. "Newness" is only one factor we use.  However, developers may experience a higher FP rate than typical users.  Abro has posted some workarounds for developers that can minimize issues when working with hand-crafted executables.  You can find these recommendations here:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Again-Repuation-1-detections-for-ever...

 

Software developers who want to accelerate the reputation building process for their new software applications should submit new applications to the Symantec white-listing program. Details of that program can be found here

Tony Weiss
Norton Forums Global Community Manager
Symantec Corporation