Download Insight

Hi everyone

Recently noticed that one and same files downloaded from different sources have different reputation.

Conducted a test.
Malicious sample   

https://www.virustotal.com/ru/file/bb4c05221d080a90979e3761845125aff07d9f9a6eeed74967d3d20912b22d52/analysis/1390801910/


Acronis backup system made.


1. File downloaded from hxxp://rghost.ru/ ...........

27-01-2014 12-59-15.png

System rollback to the original state.

2 
File downloaded from hxxp://yadi.sk/ ...........

 

27-01-2014 13-03-16.png

 

 

 


This begs the question:

Why Download Insight can not determine some sources?
Why when booting from an unknown source a good reputation?
Why the same file has different reputation when downloading from different sources?
Why
Trust Check does not check the file?

 

 


Thanks

PRIOR

Thank dickevans


you write:

Not all sites give up their identity. It's part of their security program.



But this does not prevent the browser.

28-01-2014 0-43-15.png

 


The reputation is based on the number of downloads from that source, perhaps until it has been downloaded enough for the system to be convinced that it is safe



I checked the updated information about the reputation

 


File downloaded from hxxp://yadi.sk/ ...........

 

NIS 19.9.1.14

 

28-01-2014 0-30-43.png

 


System rollback


NIS 21.1.0.18

 

 

28-01-2014 0-36-05.png

 

 

 

Norton Power Eraser

 

28-01-2014 0-37-49.png    Unproven

 

  System rollback

 


File downloaded from hxxp://rghost.ru/ ...........

 

NIS 21.1.0.18

 

28-01-2014 0-46-51.png

 


As can be seen from the test, the problem of determining reputation arise from an unknown source in NIS 21.1.0.18

Hi, Prior. As has been said, until Norton has seen the file enough times to deem it safe it will always flag it as unknown, or unproven.

 

Also, it may depend on the source of the file, as to whether the site itself is trustworthy.

 

Some download sites have dubious reputations for adding pups and puas, for example.

Hi F4E

 

I agree with you.

While there is little information about the file, it should have unproven reputation.


If a file having the same hash sum is loaded in one and the same time, it must have the same reputation.
It does not depend on the download source.

This is illustrated by the example of NIS 19.9.1.14
Download a file from a known source-   unproven reputation
Download a file from an unknown source (cloud storage) -  unproven reputation


In the case of NIS 21.1.0.18, we have a paradox.
Download a file from a known source-  unproven reputation
Download a file from an unknown source (cloud storage) -  good reputation.

 

Norton Power Eraser

Download a file from an unknown source (cloud storage) -  unproven reputation

 

 

Only in one case, get a good reputation.


NIS 21.1.0.18

Download a file from an unknown source (cloud storage) -  good reputation.

 

In one case, five. So this is a mistake.

 


Shown by the example of a single file.
Tested several dozen files with unproven
reputation.

 

 

Hi everyone

Recently noticed that one and same files downloaded from different sources have different reputation.

Conducted a test.
Malicious sample   

https://www.virustotal.com/ru/file/bb4c05221d080a90979e3761845125aff07d9f9a6eeed74967d3d20912b22d52/analysis/1390801910/


Acronis backup system made.


1. File downloaded from hxxp://rghost.ru/ ...........

27-01-2014 12-59-15.png

System rollback to the original state.

2 
File downloaded from hxxp://yadi.sk/ ...........

 

27-01-2014 13-03-16.png

 

 

 


This begs the question:

Why Download Insight can not determine some sources?
Why when booting from an unknown source a good reputation?
Why the same file has different reputation when downloading from different sources?
Why
Trust Check does not check the file?

 

 


Thanks

PRIOR

The original malicious file shown in the opening post is now being detected as WS.Reputation.1:

 

http://community.norton.com/t5/media/gallerypage/user-id/161969/image-id/45917iCC5FA4DC836337C3

 

Norton’s Download Insight feature has a setting that will always prompt the user to decide on an appropriate course of action, irrespective of the downloaded file’s safe or unknown Reputation score:

 

Settings > Web > Download Intelligence > Show Report on Launch of Files = Always

 

This setting is designed to give users confidence in the knowledge that Norton has checked the downloaded file and considered it safe to run or otherwise.

 

To illustrate the issue, PRIOR has created the following set of videos using two new malicious files.

 

 

 

Test Case 1: Malicious file 1 – Unproven Trust Level:

 

 

Under File Insight, the file’s Origin is known and shows a URL. The file has an Unproven Trust Level. Upon launching the file, Download Insight reports that:

 

“Our information on this file is inconclusive. We recommend not using this file unless you know it is safe.”

 

The Norton recommended action “Remove this file from my system” is taken.

 

 

 

Test Case 2: Malicious file 1 – Good Trust Level:

 

 

This is the same file used in Test Case 1. Under File Insight, the file’s Origin is Unknown and does not show a URL (it should actually show http: //yadi.sk/d/...). The file now has a Good Trust Level. Upon launching the file, Download Insight reports that:

 

“This file does not have any known security issues. Safe to run”

 

When the “Run this program” action is taken, the user’s computer is infected.

 

 

 

Test Case 3: Malicious file 2 – Unproven Trust Level:

 

 

Under File Insight, the file’s Origin is known and shows a URL. The file has an Unproven Trust Level. Upon launching the file, Download Insight reports that:

 

“Our information on this file is inconclusive. We recommend not using this file unless you know it is safe.”

 

The Norton recommended action “Remove this file from my system” is taken.

 

 

 

Test Case 4: Malicious file 2 – Good Trust Level:

 

 

This is the same file used in Test Case 3. Under File Insight, the file’s Origin is Unknown and does not show a URL (it should actually show http: //yadi.sk/d/...). The file now has a Good Trust Level. Upon launching the file, Download Insight reports that:

 

“This file does not have any known security issues. Safe to run”

 

When the “Run this program” action is taken, SONAR detects the file as a security risk and prompts the user to remove the file.

 

 

 

Symantec needs to investigate and resolve this issue as a matter of urgency.

 

[edit: Removed potentially malicious links per the Participation Guidelines and Terms of Service.]

I'll see if we can get Symantec to investigate.

Thank you PRIOR, you always spend a lot of time and hard work finding these problems and documenting them so well.

 

Watching the videos It appears that the file is in a password protected or maybe encrypted Rar archive and extracted to another folder before being scanned and run.

 

Is that done because the file is now detected as reputation risk?

If a file is not detected as a reputation risk, have you found the same behavior happens when they are not compressed or encrypted?

Or do you feel the compression or encryption is the actual cause of the inconsistant behavior?

 

Dave

Thanks Dave

 

Files in the archive with password for security purposes to those servers for load testing


Not compressed file reputation the same as in the compressed archive rar.


In this case, compression
or encryption is not a cause of contradictory information.

 

Regads

PRIOR

Thank you for answering that question.

And thank you again for all the work you do in finding problems.

 

F4E has already made a notification and I'm sure somone will see this.

 

Dave

 

 

Video links reposted (and rendered un-clickable), as per Forum Moderator shannons’ guidance:

 

To illustrate the issue, PRIOR has created the following set of videos using two new malicious files.

 

 

 

Test Case 1: Malicious file 1 – Unproven Trust  Level:

 

Video link: http: //www. youtube. com/watch?v=v4gNTi6szUw

 

Under File Insight, the file’s Origin is known and shows a URL. The file has  an Unproven Trust Level. Upon launching the file, Download Insight reports  that:

 

“Our information on this file is inconclusive. We  recommend not using this file unless you know it is safe.”

 

The Norton recommended action “Remove this file from my system” is taken.

 

 

 

Test Case 2: Malicious file 1 – Good Trust Level:

 

Video link: http: //www. youtube. com/watch?v=yAjHxUeSmr4

 

This is the same file used in Test Case 1. Under File Insight, the file’s  Origin is Unknown and does not show a URL (it should actually show http:  //yadi.sk/d/...). The file now has a Good Trust Level. Upon launching the  file, Download Insight reports that:

 

“This file does not have any known security issues.  Safe to run”

 

When the “Run this program” action is taken, the user’s computer is infected.

 

 

 

Test Case 3: Malicious file 2 – Unproven Trust  Level:

 

Video link: http: //www. youtube. com/watch?v=eSfx8pK7EVM

 

Under File Insight, the file’s Origin is known and shows a URL. The file has  an Unproven Trust Level. Upon launching the file, Download Insight reports  that:

 

“Our information on this file is inconclusive. We  recommend not using this file unless you know it is safe.”

 

The Norton recommended action “Remove this file from my system” is taken.

 

 

 

Test Case 4: Malicious file 2 – Good Trust Level:

 

Video link: http: //www. youtube. com/watch?v=rex80Q2EAQI

 

This is the same file used in Test Case 3. Under File Insight, the file’s  Origin is Unknown and does not show a URL (it should actually show http:  //yadi.sk/d/...). The file now has a Good Trust Level. Upon launching the  file, Download Insight reports that:

 

“This file does not have any known security issues.  Safe to run”

 

When the “Run this program” action is taken, SONAR detects the file as a  security risk and prompts the user to remove the file.

 

 

 

Symantec needs to investigate and resolve this issue as a matter of  urgency.

 

PRIOR and I would both be interested in hearing from the Norton Community Member(s) who reported the original video links as malicious. Please explain your reasons for doing so.

 

Thanks

elsewhere

I have auto-protect turned on, and I have silent mode turned off.  I have received download insight notifications in the past, but for some reason it did not appear this time.  I am using Internet Explorer 11.

Just curious - can you provide the link you downloaded from?

I downloaded the free version of the program from http://www.avg.com/us-en/email-upsell-pct-free?cmpid=em_upsell_pct_free

Hi, Weatherman. The site seems legitimate. Sometimes the Norton Insight notification can be very quick and can often be missed.

 

Did you check the full history, for any notification of the download ?

 

You could try re checking your settings.

 

Even with them set to default, Norton should advise re all downloads.

I checked the full history and the program's download/installation is not listed. I have Norton set to ask me what to do whenever a new program is installed.  I just downloaded another program and the notification appeared this time, so maybe it was just a once and done thing?

I recently downloaded the one-time pc tuneup from AVG, and I have Norton set to always display download insight notifications automatically to make sure I know what I am downloading.  However, this notification never appeared throughout the whole installation process of the tuneup program.  I checked in Norton's security history in the download insight tab, and Norton didn't know that I downloaded the program!  I scanned it and the program is safe, but I am concerned that other programs may be able to install themselves on my computer without my knowledge if download insight isn't working properly.  Is there anything I should do to make sure this doesn't happen again?