06-23-2012 01:23 PM - edited 06-23-2012 01:24 PM
I am a software developer making my living from 2 products I distribute over the internet. Since my new webpage update Norton Antivirus now simply deletes the software when people try to download my software.
I've checked the software though a big number of different anti virus tools (VirScan.org) and there is no probelm at all.
The file is simply blocked because of the reputation. This is not acceptable. I tried to dispute the issue but what about my next software update? Do I have to fill the form for every single update?
My customers are unhappy and I am loosing them. This is not fair. I am not Adobe or Microsoft with mass products - my Product is a niche product - and every customer I loose hit me hard.
My Page is http://www.codeandweb.com - I've already signed up and added it to your web trust - which says that my site is clean.
Please show a way to get around this.
06-23-2012 03:07 PM - edited 06-23-2012 03:09 PM
Having Symantec whitelist your software is the best option:
And it's not just Symantec. In order to combat the tricks that malware uses to evade detection, reputation-based security is being adopted by many companies, including Microsoft:
06-23-2012 10:40 PM
I've already added it but with no result. And what about updates? Should I add every single update to it? If the 36 other anti virus companies add this too I end up with 1-2 days for submitting software to these companies.
About Microsoft: They at least have the decency of warning people about the download instead of simply quarantining it.
Telling pople that my software is not used by the masses and that it is unknown and might contain bad things is one thing. Deleting it is another.
My users don't even know what's happening here. They think I sell malware. This not only prevents people from buying and testing my software - it also kills my reputation in the developer community.
06-24-2012 01:20 AM
A temporary (and I understand that such a solution shouldn't be necessary) could be to make the downloads as archives (.zip-files) instead of executables (.exe-files). Norton doesn't scan archives for reputation.
06-24-2012 08:59 AM
Adding to SoJ's note on how to get it whitelisted here is the link to the Norton website that I get via the alert on downloading TexturePacker just now:
I see it has a link for entering a dispute which might be worth doing? You can point out to them that if the downloader restores the file from Quarantine using the NIS option to do so that is in the details report and then checks it with NIS it is not flagged (other than used by fewer than 50 I think it was) -- nor is it by MBM or SAS ....
06-24-2012 02:14 PM - edited 06-24-2012 02:51 PM
I've already filed the dispute. Twice. But it did not help - you are still deleting TexturePacker.
I've also registered my webpages as owner. They are "clean" according to your safe web.
For me this is vital. Your company claims to have a markes share of more than 60% in USA. 50% of my customers use the windows version which simpy means that I am loosing 30% of my customers because of your reputation system which deletes my software without qualified reason.
And I don't know how many people simply don't download it because they hear from their colleques that is might contain a virus or malware.
Who is going to replace the lost money? Will your company pay for that? I guess not.
With qualified I mean that I've tested my software with 36 different anti virus systems - including yours. The only one complaining about it is ClamAV which warns about compressed data - I guess that is because I use NSIS installer.
I need an immediate fix for that. Or some contact from your contact to help me get that fixed. Now.
How does Amazon Clould Front influence the reputation system? I am using the CDN to allow users fast downloads outside from Europe.
06-24-2012 02:48 PM
I don't think Norton is the only AV that uses reputation as part of the detection process.
For a long term solution, you really need to use a code signing certificate. If your not signing executables, you will never be able to build up a good reputation because there is no way for any product to track your reputation history.
I'm not an expert in this at all and I have no idea on exactly what Sonar uses in the basis of file convictions but I noticed something else odd about your executable. It's carrying an alternate data stream from the computer it was either made on or downloaded from.
This is visible in windows XP and even windows is trying to block it and warn the user about the file.
06-24-2012 03:01 PM
I use CMake to build TexturePacker and CPack (part of CMake) which uses NSIS (http://nsis.sourceforge.net/Main_Page) to build the installer.
I am building it on a Windows7 Virtual Machine (Running in VMWare) and test it on XP and others. While it is the same hardware it sill is another windows but I don't see anything like this:
06-24-2012 08:07 PM
I still can't see your image. Seems like it takes a lot longer for them to be approved on Sundays.
Off the top of my head I can't remember when that feature was added into windows XP.
But I'm running XP SP3 here and I just downloaded it agin with my Norton autoprotect turned off and I get the same warning.
I do know that NTFS has a lot to do with it (obviously), I can move the file onto a FAT32 partition and back to get rid of that warning. If your running XPSP3 on NTFS I have no idea why your not getting that warning but I don't prefer VMware so I wouldn't know if it's really downloading the file directly or if it's really being copied from the physical system through the NAT into the VM.
But I totally agree with you one one point, a file should never be deleted or removed unless it is a "proven" bad file.
I would prefer a warning about it being a new and unknown file and let the user make the choice. Then if the file was run and it started to display bad behaviour it should be blocked and quarantined.
But I know that the "newness" of a file is only one of many attributes that are used to allow or convict an exectuable.
Of course it couldn't count too much or it would happen on each and every new program and update and we know that is not the case.
I know thats not much help to you for this program but in the long run you really should consider signing your code with a good certificate. Not only will that help you build trust with AV scanners but it will build trust with your customers because they will know who signed the program and that they recieved it intact and unchanged along the way.
I have also seen developers comment about simple things that can prevent these problems such as making sure the programs behave like legitamate programs are expected to, adding an entry into the add\remove program list and creating a desktop shortcut are a couple behaviors that only legitamate programs will take, you will never find a virus that does these things.
Sorry thats not much help, but thats what I would do if it was me.
In the shor term whitelist all your apps and allow 2 weeks for the process and in the long term sign your executables and follow all best practices for distributing programs and soon you will never have a problem with any of your files.
06-24-2012 10:36 PM
Ok - just ordered a commodo certificate - I hope this works.
Is there a way to speed up things with norton?
Is there somebody I can talk to? Mail? Phone? I am self employed and loosing 30% of my income is hard to swallow.
Would it help to download the software using https?