Every year companies like Symantec or Kaspersky are refreshing their security lineup, usually by adding a number of new features to the products and changing the year at the end of the product name. One of Symantec's recent additions to its Norton consumer security product line includes a reputation engine. This is basically a cloud-based system that uses information from all Symantec programs to determine the reputation of a file or program on a computer system.
The idea here is that programs are likely safe if they are used by a large percentage of users, and that programs that are not used widely are more likely not to be safe to run on the system. The problem with this approach is that Symantec can quarantine files even if the program's own scanner did not detect malicious code in them. The system has been designed to block unclassified malicious software from running on the system.
What is happening though is something completely different. Independent software developers like Andreas Löw began to notice that their programs were automatically classified as WS.Reputation.1 files due to their low reputation score. If that was not bad enough, Norton products automatically delete files classified as such and move them to the quarantine of the program.
WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.
File Insight WS.Reputation.1
The main problem from a developer perspective is that the system may negatively impact their business. Users may think that the software distributed by a particular developer includes malware, and even if they do not think that, they may decide to not install the program as it may not be worth the potential troubles.
Developers on the other hand may also feel the impact of the system. They may receive additional support requests to resolve the issue, and may be forced to communicate with Symantec to get the issue resolved and their programs whitelisted.
If you have Norton security products installed on your system you may have seen a notification like the one on the screenshot above. It basically notifies you that the file has been classified as WS.Reputation.1 by Norton and that it has been removed as a consequence.
So how do you get the file back at this stage? You need to click on the options button in the window which leads to the following program window.
Here you need to click on the restore button to move the file out of quarantine to the system.
If you do not want to make use of the system at all, you can disable it in the following way:
- Open the main Norton interface and click on the advanced link there
- Locate Download Intelligence and switch it to off
You can turn off the feature for a limited amount of time or permanently.
The core idea of Symantec's reputation engine makes a lot of sense, but the implementation is flawed as it is generating too many false positives when running. Instead of moving WS.Reputation.1 files to the quarantine, users should see a notification instead that gives them the power to either do that, or keep the file on the system.
Are you a Norton user who came into contact with the software's reputation based ratings? Or have you noticed a similar behavior in other security software?