I'm sure I'm not the first person to post this and I'm sure I won't be the last but I don't feel like reading through 100 posts to see if this issue is being addressed as its so ridiculous and should have never been implemented in the first place.....
Soooooooooo .... What's the deal with WS.Reputation.1???
I just had a file quarantined as "WS.Reputation.1"
I want to know if the file is safe based on a thorough scan of the file not by how popular it is... I mean ... I can find out the popularity of a program without spending all this money on your over-priced annual subscription fee.
I'm really annoyed
I'm annoyed that I had to take the time to write this and that I know I'll never get a satisfactory answer as to weather or not my files are safe?
I think this is the beginning of the end for me and NIS :(
Sorry this feature is not sitting well with you. This is actually a very effective protection against new, unknown threats. Malware writers change the code in existing malware so that new variants are unrecognizable to AV software - newness is an advantage. To counter this, Norton takes files that have no history and classifies them as suspicious - newness is now a liability. Obviously it is not a perfect system and it is more prone to false positives than traditional methods. The tradeoff is that a small percentage of software that is not widely used may get mistaken for malware, but a great deal of actual malware gets blocked that otherwise would have installed. Other security programs are adopting similar techniques, and Microsoft is using application reputation for download security in IE. For a one-post explanation of this feature please see the following:
To summarize your post: "newness is now a liablility"
I don't expect to see that on a bumper sticker anytime soon.
I understand YOUR problem ... I understand what your doing and even why your doing it.
But I need you to understand MY problem ... I now have a file that is just sitting here. I don't know if it is safe or not and I spent alot of money on program that is supposed to tell me if its safe or not ... but ... it's not doing that. So now what?
Also to address the "Other security programs are adopting similar techniques" ... My mother would say: "just because your friends jumped off a bridge doesn't mean you should do it too"
I would add to what my colleague SendOfJive said that for developers there are ways around this.
SendOfJive's link suggests that developers can submit their program and request that it be added to the whitelist.
Developers can also acquire a digital signature from a trusted Certificate Authority (CA) which should help to prevent FP's.
I am a developer myself and if I design a program I think it is a small price to pay to do this to help ensure that potential users of my program are able to have more peace of mind before they choose to download and use my program.
Is it a hassle? Yes it most certainly is. It is unfortunate that it has to be this way but there are a lot of criminals out there who target the innocent victim.
Reputation ratings are a guideline and just something to let the casual user know that the program they have acquired is not widely used. It is not a conviction of the file or program so the user still has a choice to make.
One can also upload the file to places like virustotal to have it checked further before making a final decision if they desire.
To summarize your post: "newness is now a liablility"
I don't expect to see that on a bumper sticker anytime soon.
I understand YOUR problem ... I understand what your doing and even why your doing it.
But I need you to understand MY problem ... I now have a file that is just sitting here. I don't know if it is safe or not and I spent alot of money on program that is supposed to tell me if its safe or not ... but ... it's not doing that. So now what?
Also to address the "Other security programs are adopting similar techniques" ... My mother would say: "just because your friends jumped off a bridge doesn't mean you should do it too"
Hello FrequentC, my name is Michael and I work for Symantec. I am sorry to hear that you are having issues with one of the features of NIS. Could I ask what file in question is causing the problem and caused the detection?
In the mean time I can explain a few things. Just because a file is unknown NIS will not mark the file as a threat. It is one factor in many when it makes that determination. The other is how the file behaves on the system and if it is acting like threats that have been seen in the past. You can also submit the file to us, and if it a false positive we will white list it so it will not be detected in the future again. NIS12 has a very low rate of false positives and it could very well be that the file is a threat and that NIS protected your system.
So what your saying is: NIS can't figure out if the file is safe but "places like virustotal" can and that WS.Reputation.1 is a "Hassle"
I just want to make sure I'm clear on it.
I want you to know that ... I realize my replies are a little obnoxious but I'm not trying to Troll. I find the WS.Reputation.1 "solution" to be ?misleading? (that might not be the word i want to use) .. however i feel like I paid for something more than a "Best Guess" solution.
So what your saying is: NIS can't figure out if the file is safe but "places like virustotal" can and that WS.Reputation.1 is a "Hassle"
I just want to make sure I'm clear on it.
I want you to know that ... I realize my replies are a little obnoxious but I'm not trying to Troll. I find the WS.Reputation.1 "solution" to be ?misleading? (that might not be the word I want to use) .. however i feel like I paid for something more than a "Best Guess" solution.
It is not a best guess. If that detection was made it was because the file is known to be bad, not unpopular. Of course there is very small risk of false positives, but if you look at reports from AV comparatives NIS has a very low false positive rate. If you feel that this is a false positive, you can submit the file here https://submit.symantec.com/false_positive/ and we will analyze the file. If it is we will white list it so that the detection does not occur again.
but if you look at reports from AV comparatives NIS has a very low false positive rate
NIS is great and all, but this seems to apply to on-demand scans, not actually executing the file. As you can see in the latest dynamic test from AV-Comparatives - http://www.av-comparatives.org/en/comparativesreviews/dynamic-tests , the thing that kept NIS from the top stop was not its protection or detection, but its very large amount of false positives. With an on-demand scan, this WS.Reputation false positive problem would not occur, but in a dynamic test or a real-world situation, it shows very well.
What are the other "Many Factors" that are used to make the determination? And why is that not spelled out in writing on the page that vaguely explains WS.Reputation.1 so your claim can be reviewed and disputed if found to be false rather than denied by "corporate" as a mistaken post by an uninformed employee? ( http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99 )
Also ... I don't know if you've made a false positive. "MAYBE" I did download a malicious file? But I would like to read the explanation as to why a file has been quarantined and have it say "We found Something" not "The file isn't popular with 10s of millions of users"
New programs come out all the time and unfortunately some contain malware - most don't but some do! No AV software can determine if something altogether new is totally clean based on signature alone.
The Reputation rating is simply a way of letting the user know that the program is not widely used and to proceed with a bit of caution - that is it.
As michaell said there are other indicators such as behavioral (how the file behaves on your system). Does it do anything which is suspicious, etc?
I mentioned virustotal only as another possibility - a second opinion which it never hurts to have.
I also mentioned as did michaell about submitting the program/file to Symantec for a final determination and then you will KNOW if the program is safe.
Until a sample of a previously unseen file is actually studied , it is not possible to know if it is malicious or not. In the meantime, the file is in the wild and if it is malicious, it will be be infecting computers unhindered because AV programs have no way of knowing that the file is dangerous and should be blocked. Reputation-based scanning, while it cannot provide a conclusive verdict on a file, can nevertheless protect you from something that looks suspicious enough to warrant intervention. VIruses spread so quickly and morph so frequently now that waiting until a file can be proven to be a threat, and then writing and releasing a signature to detect it, is just not adequate protection anymore - by then it is too late. As michaell says, files that are blocked as WS.Reputation.1 have enough characteristics of malware to warrant the blocking. If the file were merely new or little used you would get a Norton Download Insight notice to advise you that little is known about the file - but the file itself would not blocked.
What are the other "Many Factors" that are used to make the determination? And why is that not spelled out in writing on the page that vaguely explains WS.Reputation.1 so your claim can be reviewed and disputed if found to be false rather than denied by "corporate" as a mistaken post by an uninformed employee? ( http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99 )
Also ... I don't know if you've made a false positive. "MAYBE" I did download a malicious file? But I would like to read the explanation as to why a file has been quarantined and have it say "We found Something" not "The file isn't popular with 10s of millions of users"
First I am not denying anything here. We store reputation data on millions on files which fall into three categories, good files, bad files, and unknown. Bad files are files we know have caused problems on other users computers but no virus definitions have been made for that file yet. So if it is detected on someone else computer it is flagged and quarantined for your protection. These files are marked as such because of the behaviors they exhibit are associated with malware. We do not do this automatically for unknow files, or files that only a few people have. Sometimes there are false positives. If you want asurance you can file a dispute via the link I provided. If you give me the tracking number I can follow up with you and we can tell you 100% if the file in question was a virus or not.
