05-17-2010 01:45 PM - edited 11-03-2010 07:05 PM
There have been several recent posts about the WS.Reputation.1 detection. In order to clear things up, we thought it was important to explain this detection and provide more information about how you should deal with it. First off, we have published a write-up on our Security Response site. Please see the information here - http://www.symantec.com/en/uk/security_response/wr
WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.
The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.
Now, like any security technology, there is a small chance that we have made a mistake on a file. We are constantly tuning the reputation system to avoid these problems, but they do occur on occasion. If you believe a file has been mistakenly detected by WS.Reputation.1, you can submit a dispute at https://submit.symantec.com/dispute/. This page is monitored 24 hours a day so that we can immediately begin to research and correct any issue.
Restoring a file from Quarantine
If you are confident that you are experiencing a false positive and cannot wait for the dispute process, the product allows you to manually remove items from quarantine. To do so, open the main window and click on the “Quarantine” link as shown:
From the quarantine window, select the file that you wish to restore and click on the “options” button under the recommended action.
From the threat detection window, select the “Restore this file option” to restore your file.
When our reputation technology encounters a brand-new file (including items that you may create on your own) it relies on a number of factors to determine reputation. We use all of these factors to ensure we can provide the maximum protection for users while preventing false positives. "Newness" is only one factor we use. However, developers may experience a higher FP rate than typical users. Abro has posted some workarounds for developers that can minimize issues when working with hand-crafted executables. You can find these recommendations:
WS.Reputation.1 is a reputation-based detection. When our reputation technology encounters a brand-new file (including items you might create on your own), it relies on a number of factors to determine reputation. We use all of these factors to ensure we can provide the maximum protection for users while preventing false positives. "Newness" is only one factor we use.
We've been looking at this issue very closely - we know that in certain cases a hand-crafted test case will trigger this detection. Users aren't commonly taking Notepad files and turning them into executable files, and then posting them on the Internet and downloading them. But there are real situations where good files could be called bad. We have already made a lot of adjustments to the reputation technology to fix this issue. We've been working closely with software developers to ensure files can be distributed safely. We will continue to resolve issues as they come up.
If you see cases where we are detecting downloaded executables in real-world situations that you believe are a false positive, please let us know. We are proactively looking for these cases and adjusting our technology. We scour the forums. For example - we noticed a version of a DivX installer having this issue and adjusted our technology this morning to fix this.
There are also some ways you can reduce/fix this issue on your own, particularly if you need to hand-craft executables:
- Norton products can exclude by path. You can create a folder, add it to the AutoProtect exclusions (under Settings), and then download files to this folder. This will prevent Insight from seeing these files. Of course, you should only download executables you know are safe to this folder.
- If you find you need to download a lot of low-reputation items, you can always toggle Download Insight on and off in the main Norton GUI window.
Software developers who want to accelerate the reputation building process for their new software applications should submit new applications to the Symantec white-listing program. Details of that program can be found here.