12-21-2010 08:36 AM
Last night I downloaded a file from www.nrm.org.uk/scotsmangift. After the file completed downloading Insight scanned the file and then deleted it saying that it was a risk. I reached that site from www.railsimulator.com, a reputable site about railroad simulators. As a Christmas gift, they released a free 600 mb simulator called 'Flying Scotsman'. I was quite upset as I am quite sure this was a false positive and I had just wasted 600mb of bandwidth, and time. Insight says "There are many indications that this file is untrustworthy and therefore unsafe."
My questions are these:
1) What are the 'many indications' the file is untrustworthy.
2) Realizing Insight had received fewer than 5 downloads of this file, at what point does the number of times a file being downloaded increase it's reputation? If a file is reputable, how do the first users to download it get past Insight?
3) I don't want to disable Insight as I think it is a viable and worthwhile function but I'd like to learn more about how to specifically handle a file such as the one I've mentioned.
4) Specifically, I want the option for *me* to make the final determination that a file is safe or not. Is there a way to make Insight do this? I've searched through the Settings and haven't found anything along those lines.
5) I can submit this file as a false positive, and have done that once before with great results from the support folks, but it took several days to get the issue resolved.
6) I want to download this file now. I realize I can disable Insight and then download the file again. This doesn't go to the larger issue of how do I determine a download's reliability *before* I download the file? Not that I should have to do that, but it seems to me that option should be available.
A suggestion - is it not possible for Insight to report on the status of a file *prior* to starting the download simply by checking the file link/name at the start of the download? That would save any loss of time/bandwidth.
I appreciate any comments and other thoughts.
12-21-2010 08:49 AM
I think you should be able to restore the file by clicking on Options (as displayed in the lower part of the screenshot). You can then add this file to the excluded items to avoid the same issue again.
Do let me know if this resolves your problem.
12-21-2010 08:54 AM - edited 12-21-2010 08:56 AM
It may be in your quarantine, in which case you can recover it, if you are certain the file is safe.
I have NAV but I think it will be the same or similar in NIS. On main page click quarantine. Highlight the file and click more details. At the bottom of the details page clkick options. from there you should have an option to restore, possibly also one to restore and exclude. If not the latter, in settings, exclude the file from all detections.
Edit: cskwatra: you posted while I was typing, sorry.
12-21-2010 09:06 AM - edited 12-21-2010 09:28 AM
As an ex LMSer (Berkhamsted, Herts) I'd prefer the Royal Scot .... <g>
I'm downloading that file as I type and no warnings yet but it 's a slow link so I'll come back after it's downloaded and report what has happened.
Meanwhile can you check Support / About and say what the version ID of your NIS 2011 is -- it's there in the format nn.nn.nn.nnn
Download completed with no alarms from NIS 2011 and a NIS popup saying the exe was safe.
I selected the exe file and ran the Norton Insight ooption on it and if came up clean
I installed it (I didn't install the PhysX driver since I didn't know what it might do to my on mobo graphics chip) and apart from an error message about not initializing the PhysX it seemed to start up OK to the Xmas card.
So I would suggest two possibilities -- the source was infected and they replaced the file (there is a help link NOT to the Museum it says) or that Insight updated its "definitions" and no longer flags. it.
Perhaps uninstall it, empty all Temp files and try again?
BTW You can check a site URL by clicking on the bottom right icon on the NIS 2011 GUI (Safe Web if you can read small) and pasting the URL into the top box. I just tried that and it just says that the site has not been checked yet.
And the NRM URL you give first is cleared by Insight:
|Total threats on this site:||0|
12-21-2010 04:04 PM
I have 184.108.40.206 with Pulse Updates always turned on.
I was able to restore the file by: Quarantine - More Options - Details - Restore
It still marked the file as high risk with a trojan. I haven't run the file yet. I'm going to download it again and see what happens on the second download.
Thanks to everyone for their help so far... I will be back in touch once the download is complete.
12-21-2010 04:46 PM
Something must have changed I do believe.
I just located the file and did the other Norton Insight check that is in the context menu when you RMC on the file and it gave it a clear bill -- few users but no dangers, or words to that effect.
Then I opened up the Norton GUI again and did a Scn Now on the individual file I downloaded. It took some time (compressed file I guess) but again gave it a clean bill of health. Said it contained 2 files and both OK.
Look forward to hearing more from you.
I wonder if yhou should do a detailed security check on your machine in case it has some malware that infects downloaded files? I don't know if that exists nor why it would not be stopped by heuristic monitoring .....
BTW What version of Windows are you using, including service packs and whether 32 bit or 64 bit ....
12-21-2010 05:24 PM
I've just successfully downloaded the file. I followed the same download procedure as the first time. This second time, no flags. I also manually scanned, with no problems. Scanning the first file again showed no threat. Number of users is now in the 100 range vs. less than 5 when I first downloaded it. I'm thinking it might have something to do with the number of downloads. It makes me wonder about how Insight really determines if a file is a danger or not. At some point, all downloads start with 0 downloads. How does Insight determine if that file is safe or not? BTW - scanning the first file with MalWare-Bytes was clean, for whatever that is worth. An interesting problem and I've learned from this, but with some questions still remaining. Thanks to all for the help! It's time to head on down the line
12-21-2010 06:02 PM - edited 12-21-2010 06:04 PM
Number of users is now in the 100 range vs. less than 5 when I first downloaded it. I'm thinking it might have something to do with the number of downloads. It makes me wonder about how Insight really determines if a file is a danger or not. At some point, all downloads start with 0 downloads. How does Insight determine if that file is safe or not?
The newness of a file should generate a warning at the very least, and if there are other indications that the file may be malicious, it will be quarantined. To avoid detection by virus signatures, malware is now written to change constantly, making it almost impossible to create signatures as fast as new malware variants are released. The malware writers use the newness of their files to evade detection. So, in response, Norton now uses that very newness as an indication that a file may pose a risk. Generally more information about such a file is gathered before it is actually convicted as being malicious, rather than just suspicious.
12-21-2010 06:04 PM
I just ran the Norton Insight scan from the context menu on the file I downloaded earlier and mine now reports Few Users -- fewer than 50 in the Norton ....
12-21-2010 06:23 PM
[ ... ] Generally more information about such a file is gathered before it is actually convicted as being malicious, rather than just suspicious.
In fact NIS returns Not tested when you run the specific file at that download site through Safe Web on the NIS GUI ....