Norton Internet Security Auto-Removing Threats when Set to Ask Me

This has been a long-term bug bear of mine. I have Norton Internet Security set to "Ask Me" regarding auto-removing threats:Capture.PNGYet for my Visual Studio files, it still does it! Off it goes removing several .exes and .dlls from my project folders, Quarantining and sometimes outright removing. The "threat" is WS.Reputation.1, which is basically it's not seen this code before (as it's custom code I've written).

 

1. Why the heck is it doing this when it should be ASKING ME?

2. Why can I not tell it NOT to go just auto-removing my files, or at least not to Auto Remove for WS.Reputation.1? (I'm fine with it DETECTING, just not ACTING)

3. Don't mention whitelisting etc, I'm not publishing these apps, they're for my own development and use.

4. Yes I DO have certain folders set to fully Excluded (which works), however I sometimes transfer my files between devices or temporarily save them to desktop. Norton then just goes removing ALL of them before I can stop it, and I have to re-add them back from quarantine one by one. Some files I can't even undelete!

 

Filename: My Project.Resources.Designer.vb.dll
Threat name: WS.Reputation.1Full Path: C:\Users\Bob\Desktop\Other\interim Stop Management Tool\obj\Debug\TempPE\My Project.Resources.Designer.vb.dll

____________________________

____________________________


On computers as of 
23/08/2019 at 21:27:45

Last Used 
23/08/2019 at 21:29:45

Startup Item 
No

Launched 
No

Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe


____________________________


My Project.Resources.Designer.vb.dll Threat name: WS.Reputation.1
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

Medium
This file risk is medium.


____________________________
Source: External Media

My Project.Resources.Designer.vb.dll

____________________________

File Actions

File: C:\Users\Bob\Desktop\Other\interim Stop Management Tool\obj\Debug\TempPE\ My Project.Resources.Designer.vb.dll Removed
____________________________


File Thumbprint - SHA:
64ecd17f6f60d86f25402593aae42434cc453e22c96f8500a728e521af3a6daa
File Thumbprint - MD5:
1552d278a51ff08edf3aaf1cc701f022

Thanks mate, but as I said in the first post, I've already done this.

However I can't only keep my files in a single folder, 100% of the time. At times I need to move them between devices, so they would be temporarily out of that folder, also I may be working with other files that aren't visual studio projects, files related to games or whatever else, Norton has removed these too.

 

Also to the second post, the trade off between preventing malware from deleting your files, shouldn't be security software that...deletes your files. It doesn't even quarantine some of them! It's not just my code either that it's done this with.

I absolutely agree that by DEFAULT, it should do whatever it says it will do. But there should be an OPTION for Advanced users to customise. The presence of the "Ask Me" option is daft also. Sure I understand that technically, this doesn't apply to download insight, however this is absolutely poor design. If a user tells their anti-virus NOT to just go deleting files and instead to ASK ME, the user expects it to bloody ask! Not just "some of the time".

 

A quick fix would be to have this setting apply to ALL detection methods, along with the one underneath about what to do about issues while I am away. This would allow advanced users to customise it's behaviour and have it work as expected.

Also ensure that files that it's not 100% sure are a definite virus, should always be QUARANTINED, not deleted outright! It's like shooting someone who comes to your door, just because you don't know them. Quarantine and check with the user first! (If configured, otherwise by default just quarantine and inform).

End of the day, outright deleting files, and having settings only applying to certain features (yet are regarding overall behaviour) is flat out wrong. I'm sick of the whole babying  that the software and OS market is doing nowadays. Leave it to ME to decide the risk to my machine, if I specifically configure it to delegate such decisions to myself.

 

Is there any way of getting this raised with Norton? (The Ask me option behaving the same for all methods, and preventing outright deletion for files who's only crime is not being known). I'm really, really sick of having to recover files from backups and other devices.

Norton has unilaterally removed files that it considers dangerous for as long as I can remember.  I assume this is because they would rather receive the occasional support call about an unwanted removal rather than an avalanche of calls about infected computers from users who overrode a warning.  While this is not great for those writing their own code, it can be disastrous if a bad virus definition should cause critical operating system files to be deleted.  And that has happened in the past with more than one AV vendor.  So, while I tend to agree that, for this reason, the user should have the final say, I can see why a company that is depended upon to block malware might want to trust its own judgement and ability over those of its mostly casual-user customers.  As in everything else having to do with security, it's a trade-off.

As a developer, you need to create a master folder for all your projects. Then exclude that folder from Both items in the image below. 
 

exclude scans.JPG

 

I agree with the basic premise that the vast majority of users will not be creating custom executables, and that Norton should work how it needs to, to keep people protected.

However, this should be the DEFAULT. Why is there not an option to customise that behaviour? Especially in regards to "omg this is a threat because it's a file I've never encountered before. Delete!". Having an option there, and one that actually works, would please both worlds. I'm not a child, I'm the user of my own computer, it should be for ME to judge whether a "new" file is a threat or not, (if I have overridden the default behaviour).

Treating all unknown files as definite threats is silly. Flag them as suspicious, sure. But the final judgement should lie with the user.

 

Absolutely sick of programs nowadays taking control completely away from the user, or at least having no options to re-enable such, for competent users. It ends up with a situation where software is hindering the user rather than helping.

But oh my god, without Norton I may end up with some malware that... outright deletes my files! Get the point? It's stupid.

Give me an option please, and have it respect my choice, and I'm happy. It's not just about custom executables, the user should always have the choice of whether a file is OUTRIGHT DELETED or not. (Should they set that option). These could be any files! What if it was something vastly more important than a throwaway program? As mentioned, some of these files don't even go into quarantine!

Bobt36:

Indeed, but flagging AND removing something just because it's never seen it before is retarded, this completely annihilates anything custom, like my own programs. (I don't publish these so no point whitelisting).

The main issue here is that it is not ASKING me, as I have set it to do. That setting is very important for a situation such as this.

It is not asking you, because that preference is specific to SONAR, and these are not SONAR detections.  Norton, much to the dismay of many users, routinely removes threats that it considers significant without user action.  And there is some justification for that insofar as unsophisticated users will often ignore warnings, even going so far as to turn off firewalls and AV protections to install something they want that is being legitimately blocked.  Norton is designed to protect these types of users as much as possible, and that means removing new files that are highly suspicious.  The vast majority of computer users do not create custom executables, and it has been well established that reputation-based protection works extremely well against new and polymorphic threats.  It is a feature that will probably not be changed for the sake of the relatively small percentage of users who are in your situation -- the risk from new malware variants is just too great and there are too many average users who would ignore or override a warning.  The suggestion to exclude WS.Reputation.1 from detection is probably your best option.

I hear ya'.  
I've questioned Norton Support...before.....Why some WS.Reputation.1 detections are quarantined and some are removed.  And Community users have expressed their concerns regarding WS.Reputation.1....before.   

Norton Feedback
https://gen3.opinionlab.com/v1/comment_card

Product Suggestions
https://community.norton.com/en/forums/product-suggestions

Maybe, Official Norton Support can "help" regarding your concerns.
Chat with Official Norton Support   --|-- Call Official Norton Support 

Lets hear from Community

Edit: 

FED UP WITH WS.REPUTATION.1
https://community.norton.com/en/forums/fed-wsreputation1

WS.Reputation is Crap!
https://community.norton.com/en/forums/wsreputation%C2%A0-crap

Reputation-based protection definitely has some shortcomings, especially in your situation where you are having to work regularly with new code, but it is a great defense against these polymorphic threats that present a different, unique, variant to every machine they attack - and, really, how many of us who are not developers are downloading never-before-seen .exes that AREN'T malicious?  So yes, the protection may be an inconvenience for you and others in your profession, but for the vast majority of users, reputation-based threat assessment will block way more actual malware than false-positives.

https://community.norton.com/en/comment/6920861#comment-6920861 

Reputation analysis means even tighter security for your computer.

A good pedigree can open doors — and that’s as true for software as it is for people.

Norton’s engineers know this, which is why they built the reputation analysis layer to look into the history and background of every file you download from the Internet. It does this in two ways: by examining the metadata attached to these files, and through the reputation information gleaned from the millions of systems that Symantec monitors.

“The reputation analysis layer is less interested in the actual bits and bytes of a particular file,” Blake explains. “Instead, Norton technology is more interested in things like where you downloaded this file from, how old the file is and how many Norton users have also downloaded it.”

In fact, Norton technology can look at a file for the first time and know a few things about it right off the bat.

“For example, if you were the first person to download a particular file, Norton Security would find that interesting,” Blake says. “That would tell us a few things all by itself. For example, we could assume it probably isn’t a Microsoft operating system file, or an Internet browser like Google Chrome, or anything like that. If Norton Security hasn’t seen it before, it looks suspicious right away. And if no developer has signed it with a known key, then we can automatically rule out a large swath of reputable sources.”

This is a key component of Norton Security’s ability to identify previously unknown zero-day threats. It can usually quarantine something brand new, while Symantec works to develop insight on it. As Blake explains, this is never an issue for files like Google Chrome, because the fact that those files are always signed means they automatically have a good reputation, even if they’ve only been downloaded once. source > ###

The core idea of Symantec's reputation engine makes a lot of sense, but the implementation is flawed as it is generating too many false positives when running. Instead of moving WS.Reputation.1 files to the quarantine, users should see a notification instead that gives them the power to either do that, or keep the file on the system. 

https://www.ghacks.net/2012/06/25/how-to-bypass-symantecs-ws-reputation-1-system/ 

Indeed, but flagging AND removing something just because it's never seen it before is retarded, this completely annihilates anything custom, like my own programs. (I don't publish these so no point whitelisting).

 

I'm totally ok with it DETECTING things, but not REMOVING them (and for some files it literally is an outright removal, rather than quarantine), and especially when the only reason is because it hasn't seen it before.

 

I may try excluding that from all detections, but then I'm worried that it won't even at least warn in future when it does see something potentially risky (such as something auto-downloaded from the internet).

 

The main issue here is that it is not ASKING me, as I have set it to do. That setting is very important for a situation such as this.

I mean how hard is it? For anything that it's certain on, remove/quarantine/whatever. For anything it's unsure on, ask!

Maybe, because WS.Reputation.1 flag is reputation-based not behavior-based detection.   Maybe, you'd be helped by excluding WS.Reputation.1 ....signature.  IDK


WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories. 

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.


Symantec Online Network for Advanced Response (SONAR) identifies emerging threats based on the behavior of files. It detects malicious code before virus definitions are available through LiveUpdate and protects you from advanced threats.