A false positive

Norton Security | Norton Internet Security
1

Hello.
I received this report from one of our users:

Full Path: h:\documents and settings\lucian\desktop\descarcari\autocorectsetup_contemporan.exe
____________________________
____________________________
On computers as of:
06.07.2011 at 07:40:56
Last Used:
06.07.2011 at 07:40:50
Startup Item:
No
Launched:
No
____________________________
____________________________
Few Users
Fewer than 50 users in the Norton Community have used this file.
____________________________
Medium
This file risk is medium.
____________________________
Threat Details
Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe
____________________________
Origin
Downloaded from http://baciuionut.ilive.ro/ac/AutoCorectSetup_Contemporan.exe
Downloaded File autocorectsetup_contemporan.exe (WS.Reputation.1) from: baciuionut.ilive.ro
____________________________
File Actions
File: h:\documents and settings\lucian\desktop\descarcari\autocorectsetup_contemporan.exe
Removed
____________________________
File Thumbprint - SHA:
df04bc8edfd2081fb86f60375ce50baa53ad913659eef3407d84a53462ae76bf
____________________________
File Thumbprint - MD5:
6676dd763fc7736c111d9e6a0197bc1a
____________________________



I'm the developer of http://softset.ro (pages and programs) where this link is added on one of the pages.
AutoCorectSetup_Contemporan.exe was also made by me (all the files inside the installer and the installer).
I know that I didn't add any virus/adware but still I scanned it with many other antiviruses and found none.
Could you be so kind to explain why is it seen as infected by your program (those "many indications" for example)..?
Thank you.

Regards, Cosmin

2

Hello Cosmin3

 

Welcome to the Norton Community Forum

 

Here is an explanation  of what  WS Reputation 1 is by Tony Weiss, a Symantec Employee.

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarification-on-WS-Reputation-1-detection/m-p/232155/highlight/true#M112299

 

Hope this helps. Thanks.

3

Thank you.

It helps a little. Unfortunately I can't submit the file to https://submit.symantec.com/dispute/ like it says there or to scan it at virustotal.com since is 50 MB in size.

All I can do is to scan it manually and I did with F-Secure, Eset Nod32, DrWeb, Avira and Kaspersky - found no infection. But since I can't prove to others that it was tested correctly it has no value...

So, back to square one... :mansad: 

4

Hello Cosmin3

 

Please take a look at the part where it says for developers in this link. I think if you do this, it may help. I will also inquire thru my means to find out how you can submit files for dispute which are large ones. Since it is the weekend, it may take a while to get a response from Symantec also. Thanks.

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarification-on-WS-Reputation-1-detection/td-p/232155

 

5

Hi Cosmin3,

 

In particular, in the Developer section there is a link to request that your program be added to the white list to prevent FP's. If your program is not undergoing frequent changes this might be a good alternative for you.

 

https://submit.symantec.com/whitelist/

 

Another possibility is to have your program digitally signed by a trusted certificate authority. More on code signing can be found at the following:

 

http://en.wikipedia.org/wiki/Code_signing

 

Best wishes.

Allen

 

 

6

@floplot Thank you.

 

@AllenM It's a good idea and I already sent a request. But unfortunately I release a new version every 1..2 months...

Who would of thought that trying to improve a program will be a bad thing...

7

Hi.
A few days ago I submitted a new version of my program to be white-listed.
I got this reply:

 

We are writing in relation to your application through Symantec's
on-line Software White-listing Request form for your software
AutoCorect.  

Symantec has decided not to add this software to its white-list at this

time.


Please note that this decision does not mean that Symantec products will

necessarily detect your software in the future.


It simply means that Symantec could not conclude from its analysis at

this time that your software should be included in its white-list.


Symantec does not disclose or discuss its decision or analysis; however,

in the event Symantec products detect your software at any point and you

believe the detection to be a false positive, you may notify us through

Symantec’s on-line Security Risk/False Positive Dispute Submission form

available at: https://submit.symantec.com/dispute.

 So, from what I understand, the specialists from Symantec don’t know and they don’t wanna discuss about this. Plus I can’t submit the file to https://submit.symantec.com/dispute because is too big.

So, what are my options so I can solve my problem…?

 

8

Hi Cosmin3,

 

I have asked Symantec for the best way for you to submit a larger file like this. What size are we talking about by the way?

 

Thanks

Allen

9

Thank you.

The size is 48.97 MB.

 http://www.mediafire.com/?6su9gsbpifow4bg

10

HI Cosmin3,

 

Thanks very much for the information. I thought I had recalled that the size limit was 50MB. I assume you tried a second time to make sure it was not a "glitch" right?

 

I will be sure and let you know when I hear somethign from Symantec.

 

Best wishes.

Allen

11

At https://submit.symantec.com/dispute shows very clear that the limit is 10 MB...

12
Cosmin3 wrote:

At https://submit.symantec.com/dispute shows very clear that the limit is 10 MB...

Hi Cosmin3,

 

I was going by what I thought I remembered and I am only trying to help which is why I contacted Symantec to ask for more input.

 

I don't see anywhere on the main page where it says 10MB and I went all the way through the process to the page where you fill out the actual form submission and still did not see reference to the maximum size. I did not submit the actual form because of course I don't have a program to actually submit with it. :smileywink:

 

Was it after this that you saw the 10MB?

 

EDIT: I finally saw the reference on the final submission page. I don't recall the options I chose on the preceeding pages the first time around but the first time I did not see the 10MB reference and I even used IE search feature to check the current page for "10" and it reported no matches. But on my latest try it was there.

 

I've also asked Symantec why the size limit is 10MB. I have to admit that seems quite small for programs these days.

 

Anyway thanks, good to have fresh information as to the size limitations.

 

Best wishes.

Allen

13

At https://submit.symantec.com/whitelist/ there is no size limit but at https://submit.symantec.com/dispute there is (it says so after a few "Next"'s).

I submitted my program at first link and I received that reply. At the second link I can't submit because the file size is > 10 MB. 

 

So I have no good option... Walls everywhere... 

But thank you for trying to help me. 

14

HI Cosmin3,

 

I had just updated my last post. You can check the part which says "EDIT". :smileywink:

 

Best wishes.

Allen

15

Hi Cosmin3,

 

One of the other Gurus said he submitted one of his programs by just compressing it with RAR and the Symantec dispute system accepted it. I wasn't sure if it would be accepted if it was compressed but he said his was accepted.

 

I'd recommend that you go ahead and try to compress it with ZIP or RAR and see if it compresses small enough to meet the 10MB limitation.

 

Either way I still have a query out to Symantec on how you can submit a larger program like this and also why the maximum size is so small.

 

I'll keep you posted.

 

Best wishes.

Allen

16

The exe file is a setup made with Inno. When is installed the size is 188 MB. The internal compression of the setup is set to maximun in Inno.

It's no use trying with Winrar/Winace/Winzip... 

But thank you for the suggestion. 

17

HI Cosmin3,

 

I've heard something back from Symantec. The question has been raised internally and we're waiting for a response.

 

Given that it is close to end of buisness and with the Labor day weekend I would not expect to hear back on this until Tuesday at the earliest.

 

But I will definitely keep you informed.

 

Best wishes.

Allen

18

Hello Cosmin3

 

What was suggested by Symantec is that you host the file some place and then provide the link to the file in the notes area of the dispute form Hope this helps. Thanks..

19

Hi Cosmin3,

 

If you don't already have a hosting website that you use, I would suggest the following.

 

http://sendspace.com/

 

I've used this one several times and it is free up to 300MB.

 

Please do let us know how it goes with your submission.

 

Best wishes.

Allen

 

20

@floplot I did that, thank you for the suggestion. I submitted the file.

 

@AllenM  I had a host already but it's a problem. If you look at my first post in this thread you'll notice the link http://baciuionut.ilive.ro/ac/AutoCorectSetup_Contemporan.exe

The problem is that any site *.ilive.ro is seen by Norton SafeWeb as infected. ilive.ro is a host for other *.ilive.ro sites.

But, for example, the site name1.ilive.ro and name2.ilive.ro are not direcly linked with each other.

But, because Norton SafeWeb found that a few *.ilive.ro are infected, it decided that all *.ilive.ro are infected.

So I can't use this link because it says that it is infected.

Now I use mediafire.  Sendspace seems good too, I will test it, thank you.