Re: What is WS.Reputation.1?

JRosenfeld · ‎11-02-2008

Floating_Red wrote:
Hi, Everyone,

Sorry to see that there are still issues affecting symantec Products.

To all those who were asking what WS.Reputation.1 is, am sure this Web Link will provide the information those of you were looking for: http://www.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99. Hope this is helpful.

--------------------------------------------

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

The way I read that, what it effectively means is that pretty well any newly released file (hence as yet very few users and hence de facto no or poor cloud reputation) will be assigned Reputatation.1 and automatically removed. That is not practical. There has to be a more sensible way to distinguish between real malware/virus and new files or apps from reputable software. or at the very least give users the option to tell NAV that they want that file. Having to recover it from quarantine is a cumbersome and time consuming.

jeffw · ‎05-07-2010

Hi everyone.

We have created a sticky topic to summarize the latest information on WS.Reputation.1. You can find it at the following link - http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarification-on-WS-Reputation-1-dete.... Hopefully this clarifies some of the common questions we've been receiving as well as some of the workarounds. We will update the post with more information as it becomes available.

Jeff

BoxerBoi76 · ‎05-06-2010

THIS IS STILL HAPPENING! I'm fed up with Norton. EVERY Firefox dev build, plugin-container.exe is quarantined. Do you not realize these builds are released every several hours (usually, unless there are no changes). As a result of these constant updates, it appears that you have a major FLAW in the

WS.Reputat ion.1 detection technology. There won't be the "Wisdom of millions of users for these dev builds". I have to complete multiple steps to resolve this each and every time I update my build which often is several times a day. I have the latest virus defs and this still continues.

How about I uninstall this product and you issue a FULL refund? This is past rediculous.

~B

mcollette · ‎05-14-2010

Hi Roopesh,

Thanks a lot for your response.

My answer. I downloaded the installation file (GoogleDesktopSetup) from http://desktop.google.com/ on April 15 th 2010. I installed it on the same day. So, it was running less than a month untill the file googledesktopie.dll got quarantined by the Quick Scan routine. I hope this is useful information to you.

Kind regards,

Marcel

Madcat207 · ‎05-20-2010

I too am having this ridiculous problem, and I cannot believe Symantec actually expects us to unquarentie ever file that it wrongly marks. Specifically, today i downloaded the Full Tilt Poker client, and had it promptly marked with this; previously, I had downloaded a system scanner from Blizzard (makers of World of Warcraft), and also had that marked. So, how the hell do i turn off this crap?

Symes · ‎05-21-2010

Yes, I am having this problem with a new version of the spideroak client (an .exe file). Given it comes from a trusted source, I am very dubious - it had no problem with the exisitng version. Please sort this out symantec - unitl I came upon this thread my company (which pays a lot of money to both symantec and spideroak) lost the use of our backup/syn facility as the spideroak client had to be updated and the older version stopped fucntioning.

sun0000 · ‎05-21-2010

Just downloaded the newst GPU-Z version 4.3 and this is the first time I receive the ws.reputation.1 warning after which the file is quarantained. Searching this ridiculous warning I stumble upon this thread. Seems that i am not the only one

Let's make this thread very long so that they start to understand that there are "millions of users" that don't need this kind of protection.

CharlieL · ‎05-22-2010

This is my first time posting on this forum.

Today (May 22) I am getting the same behavior (NIS immediately quarantines the file upon download because of WS.Reputation.1, with the message "This Insight Network Threat has been removed.") while downloading several updates from Adobe for Acrobat 8.

My NIS is version 17.6.0.32.

The URL I'm downloading from is

http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

and the three files triggering the deletion action are

AcrobatUpd815_all_incr.msp

AcrobatUpd816_all_incr.msp

AcrobatUpd817_all_incr.msp

for updates to 8.1.5, 8.1.6, and 8.1.7, respectively.

Adobe updaters to higher and lower versions than these do NOT trigger the NIS action, but because Adobe updates are not cumulative, I can't skip these.

Is this a known false positive? Is its detection considered an item to be fixed by Symantec?

Thanks.

stuartpierce · ‎05-22-2010

Yep, Norton won't allow me to install the Starcraft 2 beta. Norton 2010, updated 3 minutes ago.

Stuart

Morac · ‎05-14-2008

How do you disable the check for WS.Reputat ion.1? I looked in the signature exclusiions, but it's not listed there. Do I have to disable "Download Intelligence" (which is poorly named consider how stupid it's behaving)?

The stupid thing has been disabling a lot of my programs recently. For example:

1. Can't update to latest nightly loads of Firefox (Minefield) since NIS 2010 deletes the updater.exe file whenever an update is attempted. I have to disable NIS's auto-protect to update Minefield.

2. Starcraft II Beta installer (torrent program that downloads installation files) deleted. Even when I restored it from Quarantine, NIS 2010 complained that running it would almost guarantee infecting my computer with something (HIGH risk).

I've submitted both to Symantec as false positives.

Norton shouldn't just automatically delete the files though. There should be a way to have Norton ask if the file is okay to run since 99% of the time it is.