Exonerated by Community Watch?

Norton Security | Norton Internet Security
21

Hi car825:

 

Just for my edification and to help verify what you had mentioned, I performed a Full System Scan and did not notice the WS.Trojan.H in the logs. However, I did notice many other known good files which were "exonerated" by NCW. I am still curious as to the actual method in which it performs this function. For example, does NCW look at the local NIS data set provided by Live Update, or does it check on the file, (via an algorithm) send it out and instantaneously receive a response?

 

I think that NCW compares the file in question to it's own LU local NIS data set and then decides whether to "exonerate" it.

As previously mentioned, I have once again turned off NCW in Settings, so I don't have my History cluttered with this excess statistical data.

 

Hope this helps!

 

Regards,

 

Atomic_Blast :)

 

 

22

Hello Atomic

 

I don't think that Community Watch is doing the exoneration. It just reports what other parts of the program has found and done. These reports are all done for statistical reasons. As the name of the part says, Community Watch, it is just watching over the Norton product and is reporting findings that other parts of the program has already found.

 

In the History section, you can clear the listings for Community Watch so that you don't have pages and pages from it. That probably won't clear it from the history in your computer. Community Watch also submits samples of possible malware. They just do the submitting I believe and not the actual testing of the files. After further testing, some of these files can be exonerated by different parts of the program and then are reported as such.

 

This is just my opinion though.

23

Hi floplot:

 

This could be true, as well.

 

I think that someone from Symantec should explain this as we would all have an "official" answer. :smileywink:

 

Thanks.

 

Atomic_Blast :)

24

Here's a thread where ws.trojan.h was considered a non-threat:

http://www.malwareremoval.com/forum/viewtopic.php?f=12&t=58000

25
Atomic_Blast wrote:
I have once again turned off NCW in Settings, so I don't have my History cluttered with this excess statistical data.

Please forgive my perhaps over zealous support for the importance of NCW.
Since, you prefer not to have your History cluttered with a lot of excess statistical data.

Where do you think product Updates come from ?

I may be laboring under a totally erroneous misunderstanding....

fwiw ~ I think product Updates are derived from all that cluttered excess statistical data.

Respectfully submitted

my 2 cents

26

Hi bjm_:

 

You wrote:

 

Please forgive my perhaps over zealous support for the importance of NCW.
Since, you prefer not to have your History cluttered with a lot of excess statistical data.

Where do you think product Updates come from ?

I may be laboring under a totally erroneous misunderstanding....

fwiw ~ I think product Updates are derived from all that cluttered excess statistical data.

Respectfully submitted

my 2 cents

 

Everyone is entitled to their opinion.

 

NCW has a slider to turn it off and it was placed there for one reason - Privacy.

If Symantec thought it was mandatory, there wouldn't be a choice. Think of it like this - there is an election but not everyone decides to vote, so the voting pool is smaller, yet someone is elected. Certainly, NCW is a good thing, I never said the opposite.

 

It's all a matter of personal preference.

 

Cheers!

 

Atomic_Blast :)

 

 

27
car825 wrote:
elsewhere wrote:

car825 wrote:

 

The description for one of the Community Watch log entries says Statistical Submission: WS.Trojan.H Exonerated.  It is followed by a string of numbers in the Submission Details section. No file name is given. What does that mean?  How do you research it without a file name?  Thanks for your help with this.

Interesting. Does your 'WS.Trojan.H Exonerated' log entry look like the one below? Are you seeing a row of underscore characters where the file name should be (________)? If it's different, then right-click on the log entry, select copy and paste the details into your next post.

 

I have six entries like the one below. I'll see if there is anything else in the log that can shed some light on this.

 

DescriptionStatistical Submission: Suspicious.Cloud.7.L Exonerated
Submission Details___________________________ 
Detection Digest:
03 00 EA AF 0F 01 00 02 00 00 00 00 00 83 AC 71 ...............q  92 99 D5 F2 DB 00 00 00 00 4D 15 DD 6A 04 03 00 .........M..j...  00 32 19 03 05 00 01 02 02 00 00                .2......... 

 

Please confirm.

Thanks
 

My Community Watch log entry for WS.Trojan.H Exonerated had one underscore followed by a string of numbers and letters where the file name should have been.

Thanks. Just to recap: the Heuristic Protection feature is making the 'Exonerated' assessment here and 'Exonerated' doesn't automatically mean the the file in question is 'Safe To Run'. Norton Community Watch is simply the messenger that reports this result as a statistical submission.

 

The files with an underscore name '____'  that are shown as 'Suspicious.Cloud.7.L Exonerated' on my system have a '.msi' file extension. If I scan my system in SAFE mode, the files in question are evaluated as 'High Risk':

 

Unresolved Threats:
Risks in compressed file "2bffae.msi"
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Not Attempted
 -----------
 1 File
[g:\false positives\fp - 2bffae\2bffae.msi] - Not Attempted


Risks in compressed file "hp smart web printing.msi"
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Not Attempted
 -----------
 1 File
[g:\false positives\fp - hp smart web printing\hp smart web printing.msi] - Not Attempted

 

As a result, I now know which files need to be scanned in Normal mode to determine whether or not they are causing the 'Suspicious.Cloud.7.L Exonerated' entries without a file name that I am seeing. Copying these two files to a USB key and re-scanning them is a simple way to confirm this.

 

Before we go any further, please note (and as shown above) that there is currently a lengthy thread that highlights a problem with False Positives discovered during a SAFE Mode Scan:

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Is-there-a-Bug-in-Safe-Mode-Scan/m-p/538446/highlight/true#M173222

 

Given that, and if you understand this, then please run a Full System Scan in SAFE Mode, export the results into a text file, and post back if you can now identify the file(s) that are being detected as ' WS.Trojan.H'. As indicated in the thread above, please don't resolve any threats detected at this stage due to the high chance that they may be false positive(s). 

 

Thanks