car825 wrote:
SendOfJive wrote:
floplot wrote:
I saw this occurance just today as I upgraded to NIS 2012. It means that a file that was once considered as suspicious is now considered as ok. It is a good sign for the file..
I think the question is: if Norton has already exonerated the file, why is it now being submitted to Norton Community Watch? Exoneration implies the file has been previously classified as suspicious or worse, and has since been acquitted, so presumably there would be no need to resubmit the file for further analysis via NCW. I thought NCW submissions are usually new, unknown files that Symantec wants to take a look at, so I am curious about these exonerated file submissions, as well.
It would be appreciated if a Symantec Employee could provide a definitive answer to my original question and SendOfJive’s quoted question. To restate the original question:
What does it mean when Community Watch exonerates a file (e.g., Statistical Submission: Setup.exe Exonerated)? Does it mean the file was once considered suspicious but has since been exonerated? Or does it mean the file is now considered suspicious but there is not enough information to convict it? In other words is it a good or bad sign for the file?
I'll try and answer this for you based on what I've observed with this feature. First up though, Norton should consider dropping the word 'Exonerated' from the Statistical Submission text because it can lead the user to mistakenly assume that the file in question is safe to run when it actual fact, it may not be...
The 'Exonerated' state comes about when a heuristic scan detects that a file has some threat-like characteristics but not enough to convict it outright. The heuristic scanning process is controlled via the following setting:
Settings > Computer > Computer Scan > Heuristic Protection
The NIS Online Help describes this feature as follows:
"Norton Internet Security uses heuristic technology to check suspicious characteristics of a file to categorize it as infected. It compares the characteristics of a file to a known infected file. If the file has sufficient suspicious characteristics, then Norton Internet Security identifies the file as infected with a threat."
As I mentioned in this post, the 'Exonerated' status only applies at the specific date/time that the file was scanned and does not extend beyond this. As you saw in that post, the status of the files in question quickly went from being 'exonerated' to being assessed as hostile files containing ''Downloader.Dromedan'.
The bottom line here is that you should err on the side of caution with these 'exonerated' files and do some research before executing them. The first Full System Scan after NIS is installed usually identifies a number of files with 'exonerated' status. For example, some game EXE files or game uninstaller applications tend to fall into this category. If you have any third-party on-demand scanners installed, scan the file with them. Norton File Insight can also assist with confirming whether or not a file is currently considered safe
To check your 'setup.exe' file, proceed as follows:
- Locate your setup.exe file using Windows Explorer.
- Right-click on the file and choose Norton File Insight.
- Review the trust rating, file maturity and usage information.
If you are familiar with Virus Total, then you can do a search there to see if your setup.exe file has already been uploaded there for cross-checking:
- In the Norton File Insight window that you opened above, click 'Copy to Clipboard'
- Open Notepad and paste the information.
- The are two File Thumbprint sections at the bottom of this information (SHA and MD5). Select one of them and copy it to the clipboard.
- Click http://www.virustotal.com/search.html and paste the value into the search box and click Search.
If the file has already been uploaded, you will be presented with a list of scan results from other antivirus software vendors. If it hasn't, you can always upload the file to Virus Total yourself for checking.
Hope this helps.
