Ce sujet a besoin d'une solution.
Remerciements0

Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-30 | 05:56 · 16 Replies · · Traduction:

We developed an application (see https://embeetle.com). To avoid false positives, all our executables and dll's are code-signed with an Extended Verification Code Signing Certificate from Sectigo. Despite this, our users complain that Norton flags and deletes our executables and dll's immediately when they try to launch the software:

As you can see, the threat is based on the fact that our software is "very new" and has "fewer than 5 users in the Norton Community". Unfortunately, this is not going to change anytime soon:

 - As a startup software company, we have a small userbase.

 - We push out updates very regularly (sometimes once a week). Such an update means: new executables and dll's.

Giving our executables and dll's for whitelisting seems an unfeasable task (unless we can do so every week). Is it possible to get our EV Code Signing Certificate whitelisted at Norton?

Thématiques: False Positive

Réponses

Remerciements1 Stats

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-30 | 06:51 · Édité: 2022-08-30 | 07:17 · Permalien

We'll try to call attention: 

Report a suspected incorrect detection to Norton
https://support.norton.com/sp/en/us/home/current/solutions/v126152382

Submit a file to Norton
https://support.norton.com/sp/en/us/home/current/solutions/kb20090602171902EN

Respond to incorrect Norton alerts that a file is infected or a program or website is suspicious
https://support.norton.com/sp/en/us/home/current/solutions/kb20100222230832EN

FWIW ~ old...WS.Reputation.1...Topic
https://community.norton.com/en/forums/clarification-wsreputation1-detection

Remerciements1 Stats

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-30 | 10:18 · Édité: 2022-08-30 | 10:58 · Permalien

as test: 

upon unpacking
Norton is reporting WS.Reputation.1 for numerous .pyd files

for example:

Filename: singleton.cp39-win_amd64.pyd
Threat name: WS.Reputation.1 Full Path: C:\Users\user\Desktop\embeetle\embeetle\beetle_core\lib\components\singleton.cp39-win_amd64.pyd

On computers as of 
8/30/2022 at 1:12:28 PM

Last Used 
8/30/2022 at 1:14:31 PM

Startup Item 
No
Launched 
No
Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe
singleton.cp39-win_amd64.pydThreat name: WS.Reputation.1
Locate

Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

Medium
This file risk is medium.

hnnps: //embeetle. com/downloads/windows/embeetle. 7z
Downloaded File  from embeetle. com
Source: External Media

singleton.cp39-win_amd64.pyd

File Actions

File: C:\Users\user\Desktop\embeetle\embeetle\beetle_core\lib\components\singleton.cp39-win_amd64.pyd Removed

File Thumbprint - SHA:
e39f0e20fdc4c7c68a4060b7bcf2b6b5905041cb2088065565d332e462123242
File Thumbprint - MD5:
f79dde23b0be9a5e9b1442c1a06112de

Note: VirusTotal = No matches found (at this time)

Remerciements1 Stats

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-30 | 10:52 · Édité: 2022-08-30 | 10:59 · Permalien

as test: continued

Filename: embeetle.exe
Threat name: WS.Reputation.1 Full Path: C:\Users\user\Desktop\embeetle\embeetle\embeetle.exe

On computers as of 
8/30/2022 at 1:18:41 PM

Last Used 
8/30/2022 at 1:20:41 PM

Startup Item 
No
Launched 
No
Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe

embeetle.exeThreat name: WS.Reputation.1
Locate

Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

Medium
This file risk is medium.

hnnps: //embeetle. com/downloads/windows/embeetle. 7z
Downloaded File  from embeetle. com
Source: External Media

embeetle.exe

File Actions

File: C:\Users\user\Desktop\embeetle\embeetle\embeetle.exe Removed

File Thumbprint - SHA:
16dd9c809bdb773b2ed219b5d08d800a4c850929afa9e9333c2056bda4fd9fc9
File Thumbprint - MD5:
df11ae2301bf3190c87931842bf2222e

Note: VirusTotal = No matches found (at this time)

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-30 | 11:00 · Permalien

1 security vendor and no sandboxes flagged this file as malicious

16dd9c809bdb773b2ed219b5d08d800a4c850929afa9e9333c2056bda4fd9fc9

embeetle.exe

604.34 KB Size
2022-08-30 17:57:56 UTC a moment ago

https://www.virustotal.com/gui/file/16dd9c809bdb773b2ed219b5d08d800a4c850929afa9e9333c2056bda4fd9fc9

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-30 | 11:03 · Permalien

Thank you @bjm_ for downloading our software and giving it a try. As you can see, all our executables and `.pyd` files (compiled python files) are flagged by Norton because very few users in the Norton Community have these files. That's normal. We're a software startup with a small userbase. Also, we push out updates regularly - that means new executables and `.pyd` files.

We code-sign all of them with our EV Code Signing Certificate from Sectigo. Is there a way to get our code certificate whitelisted at Norton?

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-30 | 11:10 · Édité: 2022-08-30 | 11:43 · Permalien

at this time:  Norton is reporting WS.Reputation.1 for every file

Remerciements1 Stats

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-30 | 11:15 · Édité: 2022-08-30 | 11:38 · Permalien

Kristof Mulier:

Is there a way to get our code certificate whitelisted at Norton?

Sorry, IDK
We'll try to call attention. 

at this time: my Norton is still removing your files 

for example:

Pièce Jointe: 
Plain text icon Quarantine.txt
Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-31 | 02:09 · Permalien

Thank you @bjm_,

> Is there a way to get our code certificate whitelisted at Norton?

Do you know some people who could know the answer?

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-08-31 | 06:10 · Édité: 2022-08-31 | 06:11 · Permalien

Maybe, Contact Norton Support

Twitter Norton Support
https://twitter.com/NortonSupport

Remerciements2 Stats

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-09-01 | 12:35 · Permalien

Thank you @bjm_

Hello @Kristof Mulier, we'll review the application and the detection you reported and will keep you updated.

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-09-01 | 12:52 · Permalien

Thank you @tomas_he

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-09-02 | 00:31 · Permalien

Hello @Kristof Mulier and @bjm_,

We have reviewed the application and removed the detection from our security products. 

If you get a chance please run LiveUpdate and verify on your side.  

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-09-02 | 02:03 · Permalien

Thank you @tomas_he

What will happen if we update our application? Then we create new executables and dlls. Will they be flagged again, because they're new?

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-09-02 | 02:16 · Permalien

It depends on the nature of the update, but your application's future updates should not be detected anymore. Please test it when a new update is released and let us know in case the detection occurs again.

Could you please confirm that the detection you reported earlier this week had been resolved?

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-09-02 | 04:53 · Édité: 2022-09-02 | 04:54 · Permalien

Hi @tomas_he

Thank you very much for the efforts. Unfortunately, there are still many files being flagged and removed. For example this `.pyd` file:

We have thousands of these `.pyd` files in our build. They're all signed with our Extended Verification Code Signing Certificate from Sectigo. If Norton can register this certificate as a "trusted source" (like Norton does for many large software corporations), we're saved ^_^

What would be the procedure to get our certificate registered at Norton? How do the large software corporations do this?

Remerciements0

Re: Can we submit our EV Code Signing Certificate to avoid false positives?

Envoyé le: 2022-09-23 | 08:44 · Permalien

Hi @Kristof Mulier,

Earlier this month, we made several updates on our definitions and believe the issue should be resolved for all your executable and pyd files. Please run LiveUpdate, verify and let us know if you still experience the issue.

This thread is closed from further comment. Please visit the forum to start a new thread.