NEW - Download Insight always report Reser.Reputation.1 to unknown or unproven file

I create a new thread because I don't see an existing one concenrning this. I think it is very important.

 

Ever since I have upgraded my versions of Norton 2010 to 17.5 I noticed that Download Insight no longer reports yellow pop-up to files with Unproven , Untrusted or Poor reputation . This used to be with previous builds (17.0 , 17.1 ...) . Instead of reporting yellow and giving the user the option to decide , it automatically scans and deletes the file - all such files are marked red and deleted Reser.Reputation.1

 

Although this might be helpful in most cases , this way of working is prone to False Positive Alerts.

One just creates a harmless self-extracting archive and make this SFX into exe . This sfx exe contains a PDF file (harmless one) and it is marked automatically as a threat Reser.Reputation.1

 

You could try it with random unknown exe with Unproven or ... reputation

 

test.PNG

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Any comments ?

I create a new thread because I don't see an existing one concenrning this. I think it is very important.

 

Ever since I have upgraded my versions of Norton 2010 to 17.5 I noticed that Download Insight no longer reports yellow pop-up to files with Unproven , Untrusted or Poor reputation . This used to be with previous builds (17.0 , 17.1 ...) . Instead of reporting yellow and giving the user the option to decide , it automatically scans and deletes the file - all such files are marked red and deleted Reser.Reputation.1

 

Although this might be helpful in most cases , this way of working is prone to False Positive Alerts.

One just creates a harmless self-extracting archive and make this SFX into exe . This sfx exe contains a PDF file (harmless one) and it is marked automatically as a threat Reser.Reputation.1

 

You could try it with random unknown exe with Unproven or ... reputation

 

test.PNG

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Any comments ?


cgoldman wrote:

I can create an executable zip file containing a pdf and I have no issue.In your case what action are you performing when you have created the exe?


After you create this , upload it somewhere and then download it with your browser (IE or Firefox) . This way Download Insight will analyse it and produce a false positive alarm of a threat .

 

Thy this - it contains just a PDF - a magazine - harmless PDF into sfx exe

http://hotfile.com/dl/25486875/92f250e/Rosi_Ivanova.exe.html?uploadid=25486875&fname=Rosi_Ivanova.exe.html&hash=92f250e&lang=en

 

http://hotfile.com/get/25486875/4b5be806/3a92a51/Rosi_Ivanova.exe

 

fp.PNG

Just made an experiment to proove what I am talking about

 

See the pictures

 

http://i48.tinypic.com/16a33pg.png  and  http://i48.tinypic.com/14uuoo0.png

i restore this File vom Quarantine , Sonar2 detect und delete this File ... are you sure that is Clean ?

 

http://img64.imageshack.us/img64/751/65522836.jpg

 

the file have harmful actions, so the reputation detection

This file particularly might not be clean but you can test with any other file . I supposed you can create your own exe (example a self-extract one from an archive and fill it with harmless files) , then upload that exe somewhere and attemp to download it.

 

Check out the result. Obviously there is something wrong with this. Note that it was not like that a few days ago


3play wrote:

This file particularly might not be clean but you can test with any other file . I supposed you can create your own exe (example a self-extract one from an archive and fill it with harmless files) , then upload that exe somewhere and attemp to download it.

 

Check out the result. Obviously there is something wrong with this. Note that it was not like that a few days ago


 

I have been able to reproduce the issue you raise. I used winzip 14 to build a zip file (it is necessary to use legacy compression) and then to convert to winzip executable. I uploaded the exe to my own website (using Cuteftp)  and downloaded using http.

 

The downloaded file is picked up by Norton's and removed in quarantine. The desciption is Reser.Reputation.1

I will try to get a SYmantec employee to look at this and response.

 

See also my post in

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Removes-the-Program-that-I-m-trying-to-download/td-p/194549

I can confirm this as stated by the OP.  Create a sfx file and then download via http and Download Insight graps the file first and then when restored from Quarantine, SONAR2 grabs it also.

Thank you for your confirmation,guys!

Hopefully Symanec notice it and fix - it happens with any executable with unknown status for Download Insight

Any comment from Symantec ? This is too serious to shrug it off.

Hey guys,

 

We are looking into this issue.

 

Thanks,

Barrett


BarrettBaxter wrote:

Hey guys,

 

We are looking into this issue.

 

Thanks,

Barrett


 

Thank you for letting us know , Barrett!

 

Very important for us to know you are working 24/7 :smileywink:  to improve the greatest security product

@Barretbaxter

 

hxxp://www.sandboxie.com/SandboxieInstall-343-17.exe
hxxp://www.sandboxie.com/SandboxieInstall64-343-17.exe

 

Two Files false positive Detection , Reser.Reputation.1

 

[edit: removed direct link to executable files per the Participation Guidelines and Terms of Service. Please refrain from linking directly to these types of files]

hxxp://sandboxie.com/SandboxieInstall-343-18.exe

hxxp://sandboxie.com/SandboxieInstall64-343-18.exe

 

Two Files false positive Detection , Reser.Reputation.1


Varock wrote:

hxxp://sandboxie.com/SandboxieInstall-343-18.exe

hxxp://sandboxie.com/SandboxieInstall64-343-18.exe

 

Two Files false positive Detection , Reser.Reputation.1


This is not just a false positive on the definitions that can be submitted and fixed with a Live Update (Iron revocation). This is FP based on the technology false positives . Download Insight marks ALL such files as Reser.Reputation.1  and the problem is that they get deleted automatically just because of the reputation. This is it ---

I'm also getting this behaviour with Spinrite.exe from GRC.com and I'm sure that Steve Gibson would not be hosting a virus on his site with his reputation for security.

Hello guys !

 

This morning (I live in Europe) I received an update . The problem is fixed , no more Reser.Reputation.1 threat detections based on Unproven status .

 

Everything is fine !

 

I would like to say THANK YOU to all Symantec staff envolved into reporting and fixing this !

 

Have a nice day!

This is good news. I was affected by this problem as well and can confirm that the update seems to have fixed the problem.

 

I think Symantec is doing a very good job and find this forum really helpful. Many other antivirus developers got a lot to learn from Symantec with regards to the support, listening to the customers and fixing bugs. The previous two antivirus software i been using the support was horrible and fixing bugs took ages if ever fixed at all. So i hope Symantec keep up the good work. I also have to add that the Norton Antivirus product since version 2009 is a huge improvment compared to the previous releases.

Hello,

On 2 pc set with NIS 2010 17.5.0.127 with the latest updates: Download UltraISO
PC1(XP pro SP2) : no detection Reser Reputation 1
PC2 (Windows 7 Ultimate) : detection Reser Reputation 1 and deleted file.

 

Details: the downloaded file on PC1, I analyzed manually on PC2 and Norton does not detect Reser Reputation 1.

 

 Explanation because it becomes very annoying.

Thank you