09-08-2010 12:59 PM - edited 09-08-2010 01:00 PM
I've found the quarantine behavior to be very frustrating. For example (and this is only one example of several), I have a perfectly innocent file hanging around called Router Upgrade Checker (1.39 in my case):
Norton Insight churned and determined that it was a High risk, apparently because Few people use it. It quarantined it, and if I hadn't happened to be around to see the popup notice (or if I hadn't scrutinized the history log), I never would have known.
The problem, however, is that it doesn't offer me a way to exclude it from being grabbed again once I restore it. At first, I thought, well, if I restore it, NAV probably assumes that I want it ignored. What else could it think? Wrong. It will quarantine it again and again.
Even excluding the file in the main Settings area doesn't work.
Call me crazy, but there should always be a simple way to exclude a file when "unquarantining" it, not just sometimes (e.g. "low" risks). And how about asking the user BEFORE quarantining it, assuming the file isn't being accessed at the moment, which the example above wasn't (I hadn't thought about it in months)? Even though I have idle scans disabled, NAV obviously still does them, since it's finding files in areas that I'm not accessing.
09-08-2010 02:49 PM - edited 09-08-2010 02:51 PM
Are you sure that file is innocent? The NAV detection on it isn't reputation based and many companies have a definition for it.
09-08-2010 03:16 PM
Beyond any doubt. It's a classic false positive. You can throw lots of uncommon 3rd-party software at a scanner like that and see blips. You have to take the results in the context of what you're scanning.
But that's all well beside the point.
09-08-2010 06:32 PM
09-09-2010 03:30 PM
If you are positive the file is clean, you can add it to both "Items to Exclude from Scans" and "Items to Exclude from Auto-Protect and SONAR detection" and it will not be quarantined anymore.
I have alerted the Response team to this binary. They will look into why it is triggering the Trojan.Gen definition.
09-09-2010 06:46 PM
I only had it excluded from Auto-Protect and SONAR, but it was caught by Insight, which must have resulted from a scan even though I had Idle Time Scans disabled and never initiated a manual scan. I've come to find out that disabling Idle Time Scans only disables the Idle Time "Full Scan." "Quick Scans" still happen, which must account for the discovery of dormant programs around my system. Very subtle stuff here, wouldn't you agree?
So to avoid this situation, you have to be able to anticipate what files NAV is going to have a problem with, and then add them into two different exclusion areas manually? That's far from optimal at best, impossible at worst. You really should allow for one-click automatic exclusions the first time something is flagged. And it has to always be brought to the user's attention, which isn't the case when a user isn't in front of the PC and a notice pops up for 5 seconds and disappears along with the file. How many people are going to scrutinize logs? I think keeping the notice on screen until the user acts upon it is needed.
09-10-2010 09:06 AM
If this is an FP, it is a virus definition FP, which is different than a reputation or behavioral FP and much more rare. As I said before, the Response team will be looking into why this file is detected as Trojan.Gen.
Reputation and behavioral based convictions do give you the option to exclude from future detection with a checkbox when you restore from quarantine.
Also, there is an option in settings to turn off "Remove Risks if I am Away."
09-10-2010 10:10 AM
Previously, I wasn't sure what the distinction was between getting a check box or not. I assumed it was tied to how serious NAV estimated the threat to be.
Good to know that there's a setting that will wait until you return. I can see why you might not make it a default, but maybe the default compromise setting could be, for any kind of threat, "Remove Risks if I am Away, but notify upon return." That way, it is removed/quarantined promptly, but it doesn't drop into a black hole. That tied with an one-click exception system for any kind of threat should work around these issues.
I just looked up the definition for the setting, and it's "This option lets Norton AntiVirus automatically remove low-certainty threats if it does not get any response from you when SONAR Advanced Mode is enabled." So it seems that it would apply only to lesser threats, and even then only behavioral (and maybe reputational) ones. That still leaves everything else.