• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Um, what does "exclude this risk from future scans" do?

Um, what does "exclude this risk from future scans" do?

and where is "the exclusions list (later from options)"?

msi download is detected as WS.Reputation.1 and removed. 
msi file is not Quarantined.

Norton dialog suggests I may "Exclude the program".

Norton dialog suggests I may "exclude this risk from future scans".
Confirm Exclusion does not exclude this msi file from future download scans.
Next download is detected as WS.Reputation.1 and removed. 
I needed to turn Download Intelligence Off to get msi saved to desktop.
I needed to leave Download Intelligence Off to allow msi installer to run without detection. 
Just adding the msi file (saved to desktop) to Exclusions > Item to Exclude from Scans & Items to Exclude from AutoProtect without Download Intelligence Off does not allow msi installer to run without detection. 

Um, what does "exclude this risk from future scans" do?
and where is "the exclusions list (later from options)"?

Um, is msi file size a factor.
File: chomar-internetsecurity-win8-win81-win10-x64-en.msi
File size: 636 MB (667,185,152 bytes)
MD5 checksum: 04D76B624B4383B9BAE705111F42E86B
SHA256 checksum: ED2585C71737B18FCA628D96535F4ED51A790B52FED1C1BC63010EFF98453887
 

Maybe, Norton works with msi file different than PE files.
What does "exclude this risk from future scans" do? and where is "the exclusions list (later from options)"?

Thanks
EAP 22.18.0.219

File Attachment: 

Replies

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

I could be wrong but I thought "Exclude this risk from future scans" would stop Norton scanning for, in this case, "WS.Reputation.1" detections.

A little bit of knowledge is... well a little bit of knowledge.
Kudos0

Re: Um, what does "exclude this risk from future scans" do?

Ws.reputation.1, in practice, impossible to stop. You can exclude any other detections, but not Ws.Rep...solution: DI turn off.

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

In relation to submission 162638.
Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

    File name: chomar-internetsecurity-win8-win81-win10-x64-en.msi
    MD5: 04D76B624B4383B9BAE705111F42E86B
    SHA256: ED2585C71737B18FCA628D96535F4ED51A790B52FED1C1BC63010EFF98453887
    Note: Whitelisting may take up to 24 hours to take effect via Live Update

Sincerely,
Symantec Security Response

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

black_z:

Ws.reputation.1, in practice, impossible to stop. You can exclude any other detections, but not Ws.Rep...solution: DI turn off.

So, "Exclude this program" does not exclude, in practice?
So, "Confirm Exclusion" does not exclude, in practice?
So, "Excluded" file is not excluded, in practice?


I recall user complaints about files removed - not Quarantine.
I recall user complaints about WS.Reputation.1.  
I recall need for Download Intelligence Off

I recall WS.Reputation.1 detection moved to Quarantine.

Now, I'll recall WS.Reputation.1 detection moved and removed.
 
Maybe, file type n'or file size is factor re WS.Reputation.1 detection moved vs removed. 

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

So, "Confirm Exclusion" does not exclude, in practice?

 of course. This is an old topic. Exceptions help from other technologies (SONAR, Heur, Signatures). Reputation (Insight) lives its own life. I checked it again on 22.17.3: download bad file (by Insight only) - Ws.Rep.1, exclude by id, download again - Ws.rep.1 again. 

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

But there is interest thing - after bad file (excluded by id) re-downloading, in history written that access is allowed, but if run file - Ws.rep.1 and in history written - deleted. hah: then, in quarantine written - quarantined by user, manually placed (:D what?), severity: info. 

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

black_z:
I checked it again on 22.17.3: download bad file (by Insight only) - Ws.Rep.1, exclude by id, download again - Ws.rep.1 again. 

same sample?

File: chomar-internetsecurity-win8-win81-win10-x64-en.msi
File size: 636 MB (667,185,152 bytes)
MD5 checksum: 04D76B624B4383B9BAE705111F42E86B
SHA1 checksum: 372DAF9124E58F8465A0FD050DBF1B43FB584AC7
SHA256 checksum: ED2585C71737B18FCA628D96535F4ED51A790B52FED1C1BC63010EFF98453887
Kudos0

Re: Um, what does "exclude this risk from future scans" do?

same sample?

No, clean, but self-written new execution file (.exe).

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

msi file is not Quarantined.

because too big. 

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

black_z:
    same sample?
           No, clean, but self-written new execution file (.exe).

meaning ?

Filename: Xchomar-internetsecurity-online-setup-x64-x86-en.exe
Full Path: C:\Users\bjm\Desktop\chomar\Xchomar-internetsecurity-online-setup-x64-x86-en.exe

Developers 
eBilge Teknoloji Sanayi ve Ticaret Anonim Sirketi

Version 
0.0.0.0

Identified 
8/6/2019 at 9:34:59 AM

Last Used 
Not Available

Startup Item 
No

Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

Trusted
Norton has given this file a trusted rating.

https://www.chomar.com.tr/chomar-internetsecurity-online-setup-x64-x86-en.exe
Downloaded File Xchomar-internetsecurity-online-setup-x64-x86-en.exe from chomar.com.tr

Xchomar-internetsecurity-online-setup-x64-x86-en.exe

File Thumbprint - SHA:
acfe88bc94a22a3785ac97dc128fd5dec9415de441dde3217ebda0358529e0f7
File Thumbprint - MD5:
53e892889f7b1d760b8d1fff55e33488

Um, my Topic is regarding.

https://www.chomar.com.tr/chomar-internetsecurity-win8-win81-win10-x64-en.msi
Downloaded File chomar-internetsecurity-win8-win81-win10-x64-en.msi from chomar.com.tr

File: chomar-internetsecurity-win8-win81-win10-x64-en.msi
File size: 636 MB (667,185,152 bytes)
MD5 checksum: 04D76B624B4383B9BAE705111F42E86B
SHA1 checksum: 372DAF9124E58F8465A0FD050DBF1B43FB584AC7
SHA256 checksum: ED2585C71737B18FCA628D96535F4ED51A790B52FED1C1BC63010EFF98453887

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

black_z:
       msi file is not Quarantined.

                     because too big. 

 

What is the criteria for "not Quarantined"?   
file type?  file size?

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

file type?  file size?

 file size too big.

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

black_z:
             file type?  file size?
 file size too big.

Um, and what is "file size", criteria?    
What file size is too big to be quarantined?  

greater than _______? 

please post source?

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

black_z:

So, "Confirm Exclusion" does not exclude, in practice?

 of course. This is an old topic. Exceptions help from other technologies (SONAR, Heur, Signatures). Reputation (Insight) lives its own life. 

Maybe, you can point to Norton documentation that "Reputation (Insight)" cannot be excluded. 

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

and now File Insight for 
reports

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

black_z:

msi file is not Quarantined.

because too big. 

Chat says >
quote:
There is no file size limitation for Norton actions.
The file size is only for our information. we don't have size criteria. If it is infected file, Norton will remove it.
:end quote

[....]
Chat:      May I know what information do you need ?
User:      Why some WS.Reputation.1 flags are removed and some are quarantined. I
User:      I'd like to know file size limitation for Norton actions.
Chat:      There is no file size limitation for Norton actions.
User:      Okay, why are some WS.Reputation.1 detections removed and some are quarantined.
Chat:      I will check with the backbend team and check with the given link.
Chat:      And we will get back to you about the link .
[....]
Chat:      I am sorry, There is not file size limitations for Norton actions .
User:      Okay, why are some WS.Reputation.1 detections removed and some are quarantined.
Chat:      I will escalate your case to back end team to check with the link.
User:      Maybe, file type.
Chat:      The back end team will check the link and get back after 24 hours.
[....]

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

and now File Insight for 
reports

and now File Insight reports File Not Found > after moving msi file

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

File: 431.60-desktop-win10-64bit-international-whql.exe
File size: 541 MB (567,687,656 bytes)

File Insight = Okay before move.
File Insight = File Not Found after move. 

===========================================

File: 431.60-notebook-win10-64bit-international-dch-whql.exe
File size: 496 MB (519,994,760 bytes)

File Insight = Okay before move.
File Insight = Okay after move.  

Kudos0

Re: Um, what does "exclude this risk from future scans" do?

[...]
Chat:      I have checked the case details and the case is already escalated to senior team regarding file size limitation of Norton scan. I will be highlighting the case on the prior bases so that the issue will be resolved and you will be getting a call back from our concern team with in 24-48 hours for the same issue.
Chat:      Please cooperate with us and we appreciate your cooperation.
[...]