NIS 2011 Version 18.6.0.29. Default settings for everything apart from Identity Safe whish is turned off.
XP (SP3) Home
Dell Dimension
Hi:
I’m a Norton newbie and would be grateful for some advice about Reputation Scans.
I tried a Full Reputation Scan for the first time today and got some anomalous results.
6 files (all of them .MSI files in the c:\windows\installer folder) were categorized as UNPROVEN. Detailed information provided via FILE INSIGHT says that these files are UNPROVEN; have very few users in the Norton Community (less than 5); are VERY NEW (less than 7 days old); and have no digital signature. But this information seems to me to be incorrect.
Using 1 file as an example (1e2361.msi).
Examination of the file properties using Explorer indicates:
- This installer contains the logic and data required to install Microsoft Access Office Access MUI (English) 2007
- It was created/modified on 8 Feb 2011
- It is digitally signed by Microsoft Corporation
I then used the Microsoft tool sigverif.exe to confirm that the file is truly signed by Microsoft. (And by the way this tool will not run properly unless I turn Norton Anti Virus off temporarily – I suspect SONAR is interfering with it although nothing is reported in HISTORY).
I then noticed that Norton is reporting this file as DISCOVERED on 25 July 2011 which seems to be at variance with both the file properties creation/modification dates, and the also INSIGHT statement that it is VERY NEW (less than 7 days old).
I then did a custom virus scan on each file and this reported the files as clean.
All this does not make sense to me. Can reputation scan be relied upon? The dates/file ages it reports appears peculiar, and the files are reported as not being digitally signed when they actually are. The files seem to be reputable to me.
Or am I misinterpreting/misunderstanding what Norton is reporting?
The "Unproven" designation only means that Norton does not have enough feedback information on the particular file to make a judgement on its reputation. The reputation-based protection is fundamentally different than signature-based or heuristic detection mechanisms, and the ratings are a much looser, less precise, measure of a file's possible threat potential. In the case of "unproven" files, it is just telling you that not enough information has yet been recovered and processed to rate the file one way or the other.
Thanks for the reply but I'm still not comfortable.
Reputation scan is reporting:
(1) That some Microsoft files do not have a digtial signature (which according to Microsofts own signtaure verification tool they do have)
(2) That some files are "new"( 1-7 days old only) but NIS also reports that they have been "discovered" by NIS on 25 July which is a lot older than 1-7 days !!
Some of the results from the reputation scan just do not make any sense to me.
If I had to guess (and it would only be a guess), I would say that the descrepancies in the information about these files that is being gathered from your PC and thousands of others is probably the reason why the files have not been assigned a trust rating, and are still considered "Unproven." There may be real inconsistencies in the data up to this point.
In any event, you should not be too concerned about the results of reputation scans. And you should definitely not take any action based on a file's Norton reputation rating. The ratings are there to help Norton decide which files should be more closely watched, but do not indicate whether a file is actually malicious or not. That is the job of Auto-Protect and the virus scans.
Not that I'm doubting what you found but for some reason I cannot find any information on 1e2361.msi. Can you provide a link that describes this MSI file?
Something does not sound quite right about this detection to me. Is this file being identified as a "ws.reputation.1"? If so then it would seem that properly signed digital certificates should prevent the detection.
As the Symantec employee points out, there are stringent requirements on CA's but it would seem that a certificate issued by Microsoft would pass the test.
Well sir, I ran a Full Reputation scan and also found a bunch of .msi files that were listed as "unproven." I think there may be something about .msi files that makes them difficult to categorize as far as assigning a trust level. I am not familiar enough with the methods used to digitally sign files, or with the hashes, algorithms, and file properties that Norton uses to arrive at a reputation rating, so I am not sure why it happens. It really shouldn't be an issue, though. It just means that the unproven .msi files will be scanned rather than skipped as "Trusted" when the AV scan runs.
Well sir, I ran a Full Reputation scan and also found a bunch of .msi files that were listed as "unproven." I think there may be something about .msi files that makes them difficult to categorize as far as assigning a trust level. I am not familiar enough with the methods used to digitally sign files, or with the hashes, algorithms, and file properties that Norton uses to arrive at a reputation rating, so I am not sure why it happens. It really shouldn't be an issue, though. It just means that the unproven .msi files will be scanned rather than skipped as "Trusted" when the AV scan runs.
Well now, I think we have known each other too long for sir!
Perhaps there might be something about MSI files - can't say one way or the other. However, from what I understand about digital signatures (which is not a whole lot), it would seem that the type of file would not matter.
I agree this is not a functional problem but it might raise some amount of concern, especially when the file in question is from Microsoft.
This is one of those areas where Symantec probably cannot reveal too much about how file data is processed to arrive at a reputation rating. So this may be unanswerable by users like ourselves. But I think that an inabililty to get a coherent picture of a few files, especially those of a particular type, should not be taken to mean that all ratings are suspect or that none of the file data can be trusted to be correct. Reputation data is collected from the community at large and there are bound to be some files that just do not immediately present a coherent picture across the entire sample population. At least, when in doubt, Norton labels the file as unproven so that it gets scrutinized by the other Norton components as an unknown. It doesn't really matter why Norton can't determine if a file is trustworthy, as long as all ambiguous files get scanned.
One possibility I can think of is that Symantec does require a known clean copy of every file for testing before it will fully trust a file. Perhaps until the digital signature is verified in house, the file insight status will not show that the file is in fact digitally signed. This may be one part of the picture that Symantec confirms with its own pristine copy of the file, rather than what is found on users' systems. I, of course, am speculating wildly, here...
I spent some time today trying to diagnose what is going on with Reputations Scan, but have had to give up. However what I have discovered is:
(1) There are 53 .msi files in the c:\windows\installer folder. 30 are unsigned and 23 are signed.
(2) When I run REPUTATION SCAN (Full System Scan) 20 of these msi files are reported as having UNPROVEN trust. (I reported 6 in my post of yesterday but don’t think the list has grown since then – I’ve just been a lot more thorough with my investigation today. NIS is not very helpful in this area as you cannot sort the on Reputation Scan screen list nor print it – this makes investigation of long lists very difficult).
(3) Of the 20 UNPROVEN files, some are digitally signed and some are not. However INSIGHT always reports them as being unsigned.
(4) So in theory the remaining 33 msi files should have a status of GOOD, but they do not appear anywhere on the scan report.
(5) I then identified 2 msi files which were NOT reported on the Reputation Scan report (and by inference should therefore be GOOD) which I know are trustworthy files as I know the download source. (One is an installer for Bit Defender which I used to run on my machine years ago, and the other is the Microsoft Office 2007 Compatability Pack). I then ran a CUSTOM REPUTATION SCAN on these 2 files and INSIGHT reported that both of them were NEW and UNPROVEN. At that point I gave up!
(6) As an aside I noted that NSI often refused to run the Reputation Scan because it said that I was not connected to the internet. This was incorrect – I could still browse the web and NIS itself ran Live Update quite happily during the periods when the Reputation Scan module reported the connection as being down.
By the way in reply to somebody who asked about web references to the msi files you will not generally find any information. I think that the msi files are normally wrapped up within a downloaded exe file and then extracted when the exe is run.
I originally started this thread purely out of curiosity as I’m a new user – I’m not trying to imply there are any bugs in NIS. But from what I have seen I have to question the benefit of Reputation Scan, and am also beginning to wonder whether I really need to have Insight Protection turned on.
Actually the reputation scan is quite useful and I would not recommend turning it off.
I have asked Symantec for clarification on signed MSI files and will report back when I have something I can share.
In a case like yours where the MSI file in question is Microsoft, the Reputation Scan is somewhat less useful because once someone has verified that it belongs to a company like Microsoft, the vast majority of users are going to trust it regardless of what they might see from a Reputation Scan.
Where it is most useful is for the vast majority of exe's, etc from sources which are less well known. The Reputation Scan gives the user the information that the file in question is not widely used and therefore may be questionable. The user then has a choice to make. Actions the user could take could include not using the file rather than take the risk.
But given that the Reputation Scan is not a conviction but is rather just an indicator of possible questionable origin, the user could simply then choose to do something like submit the file to virustotal or have an online scan done by Symantec to verify that the file is safe. Without the Reputation scan, the user has no idea in most cases how widely used the program is, etc.
So in the end, a Reputation Scan is very useful and in my opinion should not be disabled.
We are now actually discussing two different things here. First, a File Insight scan is generally used on a downloaded executable file that the user is intending to run, such as a new Adobe Flash Player installer, let's say, Whatever verdict Norton pronounces will have some bearing on the user's ultimate decision on whether or not to launch the .exe. The idea is that newer files are inherently riskier, so newness is a major criteria and "unproven" actually means something.
A Full System Reputation Scan's purpose is fundamentally different. It examines files already well-entrenched on the computer and most of those, especially the Microsoft .msi files have already been run, anyway. While the file data is the same in both types of scan, the purpose of the Full System Reputation Scan is to give the user an overview of how the files on his system are currently appraised as far as their known trustworthyness, which influences how Norton manages them. Even files rated as "Bad" however, are merely suspicious - it they were proven to be malicious the anti-virus component of the scan would have quarantined them.
From the user's standpoint, the File Insight Scan supplies valuable information that influences a decision on running a file. The Reputation Scan, on the other hand, is after the fact. An unproven rating is much more significant when the file in question is something you have just downloaded where newness equals risk. It is far less significant with an obscure .msi file that has been sitting on your hard drive for months or years that Norton just doesn't have much information about.
I'm not saying that perhaps things shouldn't be tidied up, expeically if Symantec is in fact missing information on important files. But as a practical matter, an "unproven" rating in the Reputation Scan results is far less important to the user than the same rating in a File Insight or Download Insight scan on a specific file that has not yet run.
We are now actually discussing two different things here.
Hi SendOfJive,
Actually I was not discussing two different things. I did not get into File Insight since that was not the discussion the OP started.
I was talking strictly about Reputation Scans and though I agree about File Insight being more useful in many ways, for a "Norton newbee" as the OP stated, a Reputation Scan can hold almost the same importance as File Insight, because the Reputation Scan is being run for the "first time" and you are trying to ascertain whether everything already on your system is kosher.
A proper, digitally signed file should be key in both cases.
With the greatest respect to my elders and betters and those who are a lot more familair with NIS than me........ but if I run a Reputation Scan (Full System) and it does not report a specific file as UNPROVEN (and in fact does not report anything at all about the file of interest) and I then next run a Reputation Scan (Custom) and select that file and it is reported by NIS as UNPROVEN, then I think that something is very wrong somewhere. Or at a minimum inconsistent. Or I'm missing the point - which I is why I asked the question in the first place.
But from what I have seen I have to question the benefit of Reputation Scan, and am also beginning to wonder whether I really need to have Insight Protection turned on.
Hi AllenM,
I was hoping to address the above statement made by Newboy999 and to put some things in perspective. Even if Norton gets it wrong about digital signing on a particular file in a Full Reputation scan, the main effect is that Norton does not give that file a free pass - so there is no significant adverse security consequence. The situation is that a trustworthy file will be treated as an unknown, and will be given more scrutiny than it actually needs. The only situation that would cause damage would be if an untrustworthy file were treated as trusted, and that will not arise from a missed digital signature. Certainly there are other areas where Norton's proper recognition of a digital signature would have more significant impact, but I don't see it as being a major cause for concern as far as the Reputation Scan goes. Yes, Norton should detect the digital signature, but if it does not there is no damage done from a practical standpoint.
But from what I have seen I have to question the benefit of Reputation Scan, and am also beginning to wonder whether I really need to have Insight Protection turned on.
Hi AllenM,
I was hoping to address the above statement made by Newboy999 and to put some things in perspective. Even if Norton gets it wrong about digital signing on a particular file in a Full Reputation scan, the main effect is that Norton does not give that file a free pass - so there is no significant adverse security consequence. The situation is that a trustworthy file will be treated as an unknown, and will be given more scrutiny than it actually needs. The only situation that would cause damage would be if an untrustworthy file were treated as trusted, and that will not arise from a missed digital signature. Certainly there are other areas where Norton's proper recognition of a digital signature would have more significant impact, but I don't see it as being a major cause for concern as far as the Reputation Scan goes. Yes, Norton should detect the digital signature, but if it does not there is no damage done from a practical standpoint.
Sorry, I missed that Newboy999 had mixed the two features.
I just wanted to update you briefly. The issue of MSI's and digital signatures was discussed with Symantec and they have indicated that this should no longer be an issue when NIS/NAV 2012 is released.
Though there is no pre-announced time frame and hence no guarantee, the next years version (2012 in this case) typically gets released in Sept/Oct timeframe.
