Suspicious insight

Nis 2010 don't detect these files, but when I upload to virustotal the result is:  "suspicious insight."  I know Nis 2010 is newer so.....

 

http://www.virustotal.com/ro/analisis/8f89a2035f028f5ef7c83292455efe25b66a95c1d90d00dc99132be008c81185-1264849176

 

http://www.virustotal.com/ro/analisis/aff4d621afa548b825ce2ff5ad9ed48ee471e604fb850c8d1429356ac9a301c7-1264838119

Nis 2010 don't detect these files, but when I upload to virustotal the result is:  "suspicious insight."  I know Nis 2010 is newer so.....

 

http://www.virustotal.com/ro/analisis/8f89a2035f028f5ef7c83292455efe25b66a95c1d90d00dc99132be008c81185-1264849176

 

http://www.virustotal.com/ro/analisis/aff4d621afa548b825ce2ff5ad9ed48ee471e604fb850c8d1429356ac9a301c7-1264838119

I tested over 20 suspicious files on virustotal and the result  was:  suspicious insight. I hope Nis 2010  to have the same detections soon.

Hi mitzu :

 

I also cofirm this.There are some files I tested which were having Suspicious.insight detection on VirusTotal but not on NIS.

I had this question asked quite some time ago .........(no answer received from symantec though ) and I , myself figured out that the product on VT may be connected to Symantec's that server which gets the updates even before we could.

 

Later, when definitions become available on all their servers , we get the detection.

 

That might help.


Shridhar wrote:

Hi mitzu :

 

I also cofirm this.There are some files I tested which were having Suspicious.insight detection on VirusTotal but not on NIS.


 

That is not true . Norton provides better protection that Symantec corporate products for antivirus protection because Norton incorporates SONAR and Insight additionally + Safe Web , exploit protection , pulse updates , etc

 

Suspicious.Insight most likely is this that you see in Norton 2010

or this

 

 

I can also confirm , on VT all fresh Malware where detected as Suspicious insight , with NIS2010 today Unproven...

i think that has to do with canceled Reser Reputation Detection two days ago , Norton v17.5 detected many False Positives as Reser Reputation 1. and Symantec canceled this Detection .

Norton normally would recognize these Malware now as Reser Reputation 1.

@3play

This Window is not a Detection.

Yes, on VT fresh  Malware are detected as Suspicious. Insight. But not all. Some  malware where detected as Suspicious.Cloud.  At the moment " Reser Reputation"  is canceled again. Probably other False Positive?

http://www.virustotal.com/estadisticas.html

 

Top 10 of Infected Files (Last 24 Hours)

 

Suspicious.Insight  40000 ! :D

40000 files missed by Nis2010:smileyvery-happy:

I've always said, the Symantec Security Response department needs more staff ;)


3play wrote:

Shridhar wrote:

Hi mitzu :

 

I also cofirm this.There are some files I tested which were having Suspicious.insight detection on VirusTotal but not on NIS.


 

That is not true . Norton provides better protection that Symantec corporate products for antivirus protection because Norton incorporates SONAR and Insight additionally + Safe Web , exploit protection , pulse updates , etc.


 

You are not getting the point .

 

I was wondering if anyone had any more information regaurding this Suspicious.Insight warning.

I am a mid-level programmer that has been using visual basic for years, and now when i compile my executable nad scan it using VT, I'm given a Suspicious.Insight warning for the application that I have created which contains NO malicious code what so ever..I take this as a new false positive?

 

My source is as follows:

Option Explicit

Private Sub Form_Load()
WebBrowser1.Navigate "about:blank"
Me.Caption = "Neverland Online - Browser(Less) Client"
WebBrowser1.Width = Me.ScaleWidth
WebBrowser1.Height = Me.ScaleHeight
End Sub

Private Sub Form_Resize()
WebBrowser1.Width = Me.ScaleWidth
WebBrowser1.Height = Me.ScaleHeight
End Sub

Private Sub mnuN1_Click()
WebBrowser1.Stop
WebBrowser1.Navigate "http://n1.hithere.com"
End Sub

Private Sub mnuN2_Click()
WebBrowser1.Stop
WebBrowser1.Navigate "http://n2.hithere.com"
End Sub

Private Sub mnuN3_Click()
WebBrowser1.Stop
WebBrowser1.Navigate "http://n3.hithere.com"
End Sub

Private Sub WebBrowser1_NavigateComplete2(ByVal pDisp As Object, URL As Variant)
Me.Caption = WebBrowser1.LocationName
End Sub

 

It's a simple client for a browser game I play, and all it does it allow me to open the form (my client containing a webbrowser control object), and then connects my webbrowser control directly to the website containing the flash loader etc..There is no reason this file as been detected as a Suspicious.Insight, unless the webbrowser has something to do with it?

It was so strange .

My clean applications looks as virus and my customers not like that .

Today i just uploaded LG Electronics's external firmware upgrader program to virustotal . But result was too same like mine . 

 

To Symantec

Better to remove this sh!t .

I think many "noobs" will love Symantec. Because they will definately found many viruses (Clean Applications) in their computers that other AV's can't .

It was so funny and symantec works like a kid .

Bird, is hard to read? I do not think so.

 

http://www.symantec.com/norton/security_response/writeup.jsp?docid=2010-021223-0550-99

Suspicious. Insight detection based on reputation security technology is still not available for Nis2010.  Any ideas?

I thought I'd try and shed a little light on the Suspicious.Insight detections. These detections are derived from Symantec’s new Reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users. Our goal is to keep our users machines safe and part of achieving that goal means helping our users make informed choices about the files they allow on to their systems. Suspicious.Insight detections help shine a spotlight on new files that have not yet developed a full reputation.
 
Why are we doing this and what’s wrong with the conventional approach to security, using traditional antivirus signatures?  Unfortunately traditional antivirus techniques are no longer as strong a defense as they used to be. Over the last few years Symantec has observed a seismic shift in the threat landscape. Consider this, ten years ago Symantec published little more than a few handfuls of new virus definitions each week. Today that number has grown dramatically and we currently publish, on average, well in excess of fifteen thousand new virus definitions each day. So why is this? Well, virus writers have realized that that once a virus definition for their malware exists, their game is over. So instead of hoping that a new threat will make its way across the globe to a large number of people and not be blocked by an security product’s latest signature, they are today focusing their efforts on shape-shifting as frequently as possible to avoid the traditional detection methods. They use techniques like server side polymorphism, obfuscation and encryption to cloak their threats in a disguise and then change that disguise as frequently as possible. So today, the vast majority of malware is generated in real-time on a per-victim basis, which means that each such malicious program will be rated as being entirely new and low-prevalence by a reputation-based system. In contrast, most legitimate software has vastly different characteristics – it often comes from known publishers, has high adoption rates, shares much in common with earlier versions of the software, and so on. The Suspicious.Insight detection, therefore, is meant to inform the user that a given application is unproven and not yet well known to Symantec’s tens of millions of users.
 
Does this mean that all Suspicious.Insight detections will be flagged by Norton and Symantec products? No, for several reasons:

- This detection looks at many different aspects of a file – including how it arrived on the system, publisher information, when it arrived, etc. Using these attributes, most users do not see Suspicious.Insight detections. (Note that on an online scanner like VirusTotal, many of these attributes are absent, hence a Suspicious.Insight detection will be more likely). In effect this means that most users will never encounter a Suspicious.Insight detection on a day to day basis.

- Today Norton products warn the user about Suspicious.Insight detections, they do not block these files. The file is labeled "unproven", and the user is allowed to make the final decision. Note that future versions of Symantec's corporate Endpoint Protection products will include reputation, and will allow administrators to configure blocking policies based on their specific tolerance for risk.

- Due to the nature of our reputation system, even if a new clean file is initially flagged as "unproven" (which is rare), it will typically develop a good reputation very quickly – usually within several days.

Ultimately the goal of Suspicious.Insight is to empower our users to make better informed choices about the software they allow onto their machines.

 

For more information, check out the following resources:

Blog: Norton Internet Security 2010 – Download Insight

Blog: The New Model of Consumer Protection: Reputation-based Security

Product Tutorial: How To Use Norton Download Insight

Suspicious.Insight sounds like a good idea but is actually quite misleading if not somewhat useless.  If you read the description of the detection technique - i.e. "When detections of this type are triggered in Norton products the user may be warned that the application is unproven, thus allowing the user to make the final decision" all that says is that Norton users apparently don't use that file - so what does that tell me about the malicious nature of the file - exactly NOTHING.

I hate to be pessimistic but look at the scenario - Norton/Symantec doesn't use this plugin/definition in its own scanning products but yet on the VirusTotal web scanning tool, includes the definition - which, if people are like me, look up the definition on Google which takes me to Norton's site and this community board.  A cute marketing ploy to make Virus Total users think that a file could be suspicious and that Norton products use some type of more advanced technique to flag threats - naughty naughty.  I hope I'm wrong.

 


drmdolfan wrote:

I hate to be pessimistic but look at the scenario - Norton/Symantec doesn't use this plugin/definition in its own scanning products but yet on the VirusTotal web scanning tool, includes the definition - which, if people are like me, look up the definition on Google which takes me to Norton's site and this community board.  A cute marketing ploy to make Virus Total users think that a file could be suspicious and that Norton products use some type of more advanced technique to flag threats - naughty naughty.  I hope I'm wrong.


 

I agree with this.