How to bypass Symantec's WS.Reputation.1 System

Martin Brinkmann
Jun 25, 2012
Updated • Jun 25, 2012
Tutorials
|
37

Every year companies like Symantec or Kaspersky are refreshing their security lineup, usually by adding a number of new features to the products and changing the year at the end of the product name. One of Symantec's recent additions to its Norton consumer security product line includes a reputation engine. This is basically a cloud-based system that uses information from all Symantec programs to determine the reputation of a file or program on a computer system.

The idea here is that programs are likely safe if they are used by a large percentage of users, and that programs that are not used widely are more likely not to be safe to run on the system. The problem with this approach is that Symantec can quarantine files even if the program's own scanner did not detect malicious code in them.  The system has been designed to block unclassified malicious software from running on the system.

What is happening though is something completely different.  Independent software developers like Andreas Löw began to notice that their programs were automatically classified as WS.Reputation.1 files due to their low reputation score. If that was not bad enough, Norton products automatically delete files classified as such and move them to the quarantine of the program.

Symantec notes:

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

File Insight WS.Reputation.1

ws.reputation.1

The main problem from a developer perspective is that the system may negatively impact their business. Users may think that the software distributed by a particular developer includes malware, and even if they do not think that, they may decide to not install the program as it may not be worth the potential troubles.

Developers on the other hand may also feel the impact of the system. They may receive additional support requests to resolve the issue, and may be forced to communicate with Symantec to get the issue resolved and their programs whitelisted.

Bypassing WS.Reputation.1

If you have Norton security products installed on your system you may have seen a notification like the one on the screenshot above. It basically notifies you that the file has been classified as WS.Reputation.1 by Norton and that it has been removed as a consequence.

So how do you get the file back at this stage? You need to click on the options button in the window which leads to the following program window.

threat detected

Here you need to click on the restore button to move the file out of quarantine to the system.

quarantine restore

If you do not want to make use of the system at all, you can disable it in the following way:

  • Open the main Norton interface and click on the advanced link there
  • Locate Download Intelligence and switch it to off

download intelligence

You can turn off the feature for a limited amount of time or permanently.

Closing Words

The core idea of Symantec's reputation engine makes a lot of sense, but the implementation is flawed as it is generating too many false positives when running. Instead of moving WS.Reputation.1 files to the quarantine, users should see a notification instead that gives them the power to either do that, or keep the file on the system.

Are you a Norton user who came into contact with the software's reputation based ratings? Or have you noticed a similar behavior in other security software?

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Errol said on February 24, 2018 at 1:16 am
    Reply

    This app is currenty flagged as such:

    https://www.nirsoft.net/utils/mozilla_history_view.html

  2. Forrest Salfen said on January 31, 2018 at 5:52 pm
    Reply

    My IT career began way back before Peter Norton released anything. As time moved forward, Norton, then Symantec, rapidly became increasingly arrogant and insensitive to ALL computer users, not just developers. They would buy small companies for pennies that had developed useful applications, and then quickly turn those apps into very expensive BLOATWARE, screwing unknowing customers. Symantec’s acquisition of Binary Research (Ghost) and PowerQuest (Drive Image) are still vivid in my mind. Decades ago I began a fight with the all-arrogant Symantec by not using any of their products in the corporate IT department I managed, as well as steering 99% of our clients away from anything Symantec.
    PETER NORTON & SYMANTEC SUCK BIG TIME!!

  3. Dean said on December 1, 2017 at 11:25 am
    Reply

    What kind of conviction is there to be unwise in restoring the product back into the system and jeopardizing the system altogether??

    Can anyone prove that WS.Reputation.1 is not in fact a potential security risk??

  4. nobody said on June 3, 2017 at 4:17 am
    Reply

    I will never use norton again because of this, wasted $50. Immediately unistalled when some of my steam games by indie developers started being quarantined for no reason. This is a shit implementation of how to deal with unknown viruses.

  5. Sei said on January 17, 2016 at 2:56 am
    Reply

    You’re a lifesaver! Thanks so much! Now I can use AVS!

  6. denis lacroix said on April 13, 2015 at 8:23 pm
    Reply

    … its a big problem because people thing we have a virus in our soft … that its not true

    people think its a antivirus and think immediatly to it … but if your read correctly its reputatation or unknow origin that make that

    when poeple call to support at first i try to explain and i call Norton because its their problem not mine … so its hard to explain to Norton or they dont want to understand ….

    so now when people call … i say its a bad antivirus and they need to remove it and i give a free antivirus link … and fix the problem forever

    i removed over 1000 Norton at this date … they dont want to fix problem …. the solution is to remove Norton …

    it was the first best antivirus before and now they are so arrogant … the only option itf to kick it

    signed a tech that a enough of this norton

  7. kennys said on March 24, 2015 at 12:03 am
    Reply

    hello, i downloaded auto article submit er, but ddnt get the key

  8. Andy said on November 8, 2014 at 7:26 pm
    Reply

    Thanks for this info on how to bypass this junk. I’m stuck with a work-supplied computer so I can’t uninstall Norton for a decent anti-malware package. I remember WAY back in my Usenet days I used to joke that one day anti-virus applications would get so aggressive they’d treat files as “guilty until proven innocent” point and we wouldn’t be able to install anything we downloaded. I guess it’s not a joke anymore.

  9. xmaopx said on June 22, 2014 at 9:02 pm
    Reply

    Thanks so much. I was struggling with installing a patch program, and it finally worked.

  10. Per said on May 11, 2014 at 7:49 pm
    Reply

    I just had the same experience with Norton 360 about Internet Download Manager.
    Before i installed the software, it was scanned for infections, but no threats was detected.
    2 days after install of IDM, Norton 360 identified the IDMan.exe file with WS. Reputation.1 and just showed the file in the quarantine.
    Strange actually, considering that IDM is one of the internets most used download engines, but obviously not between Norton users, since i experienced this.

  11. Mark said on May 7, 2014 at 3:14 pm
    Reply

    Before this was just an annoyance and files that had been removed could be restored and excluded from future scans through quarantine easily enough, but now download “intelligence” (an oxymoron if ever there was one) can delete things identified with WS.Reputation.1 PERMANENTLY, bypassing quarantine and giving you no choice but to re-download the file all over again! What an utterly ridiculous way for security software to behave, permanently deleting files without any prompt that it doesn’t even identify as legitimate threats. NIS is a great product, but it’s “features” like this that drive customers away.

  12. Spongebob said on May 3, 2014 at 6:33 pm
    Reply

    Thank you so much! :D
    This “ws.reputation.1” was about to make me rip all my hair out. >_<

  13. Rachel said on April 28, 2014 at 7:55 pm
    Reply

    Nice article, thank you. I have the 21.0.2.38 version of Norton antivirus and this silly behavior has been driving me insane. I’m a SQL developer working in conjunction with ASP.NET developers. Every time there is a new test build to download, !)(*#^@$! Norton quarantines the thing claiming it is unsafe. Maddening. It wastes my time having to go restore the file every single time (and no, telling it not to check the file doesn’t work because it is a ‘different version’ every time). Same problem with our live apps! This makes us look bad to our clients. Just because there is a recent version of a file/app does not make that file unsafe.

  14. Rod said on April 1, 2014 at 2:04 pm
    Reply

    FYI for those NOT in the know.
    You can scan any file by uploading it to http://www.virustotal.com and it’ll be scanned by most all significant AV vendors.

  15. Anna said on December 24, 2013 at 2:54 pm
    Reply

    As a developer, if this is reported as an issue, you can ask Symantec to review your files in order to see if they are a candidate for white listing. More info here -> https://submit.symantec.com/whitelist/

    Hope it helps.

    1. shaun said on February 12, 2014 at 5:50 am
      Reply

      No its doesnt help. . . it shouldn’t ever happen in the first place and they should be sued for all the damages they cause other business BIG OR SMALL.

      I shouldnt have to ask symantec to review my files before they try to drive my name in the dirt.

      ITS CALLED SLANDER AND IS ILLEGAL at least in the united states.

      1. HW said on May 24, 2016 at 2:41 am
        Reply

        Goodbye M$ + In + Sym without TTy

      2. Deepak said on February 18, 2014 at 4:22 pm
        Reply

        You are acting like an angry person over Symantec products.

    2. LM said on January 7, 2014 at 4:52 am
      Reply

      So in other words you create a program then you have to ask Symantec for permission to distribute that product. Because if you don’t no one will be able to use it that uses norton. Therefore the reputation will NEVER go up. (Oh please symantec let me distribute the software that I created.)Just let it run a normal scan to see if it’s safe.

  16. AN said on April 11, 2013 at 7:54 am
    Reply

    There is an irony here – I spent another $ 500 for the renewal of Symantec digital signature for my product. They mistakenly make my product WS.Reputation.1. Ruining my sales. Next year I will be unable to renew my digital certificate. Symantec lost my $ 500

  17. marli said on February 17, 2013 at 2:58 pm
    Reply

    So let me get this right, the first few people who try to download a file pr program cant. then after so many have tried, it gets “rep’ed up” and other people shouldnt get blocked.
    So Norton are punishing those that are providing their rep engine with the most relevent data.

  18. Alex said on January 28, 2013 at 4:26 pm
    Reply

    I am using NIS 2012 and no problem and I like it. I don’t think it slows down pc. It uses less system resources than any other reputed IS. And if you know that, a program is safe, than you can move it again to your system,from quarantine state. Its easy. Talking about avast. I downloaded some Drivers for Lenovo and when I put them in a pc with avast, 4 out of 9 were just moved somewhere called chest. In norton, it asked me before taking further steps. So, I didn’t delete it, as I was in need of it.After installing, I scanned and no virus was detected in my pc which has NIS 2012 version. So, I love norton and all symantec products. I am using almost all symantec products and never had any problem at all. My pc has intel pentium dual core 2 ghz and 2 gb ram and win 7 64.

    Besides, your newly program might be safe, but can you guarantee that all new developed programs are safe, which has less users ? So, this feature is ok, according to me, as it doesn’t completely removes any program from your system. If you trust it, get it back.

    Thanks

    1. shaun said on February 12, 2014 at 5:48 am
      Reply

      OK now imagine your a CORPORATION with 1000+ computer and 1000+ quarantined files across multiple operating system. . . . ( yes corporations do in house programing for to fit there needs)

      VERY BAD DESIGN

      Nortan will never get away from its resource hogging reputation neither will macfee end of story. Nortan and macfee throw up way to many false positives for me.

      1. Wind10 said on November 18, 2014 at 4:30 am
        Reply

        Which “design” are talking about? I’m not sure how much of a resource hog it is, but the design of a usage generated ranking is actually a great idea for a general computer user. Albeit Symantec definitely needs to improve it greatly such as taking into account websites where the file is hosted and giving clearer details about the product while using less misleading labels. Again, I really like the concept, it just needs to be implemented correctly. It may be better to use this feature on open-source/free antivirus as these software are used by a much greater amount and variety of users.

  19. GHACKER said on October 17, 2012 at 12:48 am
    Reply

    This is a Law-Suit waiting to happen; I mean they even use the word “reputation’; i.e. they are maligning the reputation of comercial products proveably causing material loss to said companies. AND the fact that use the term “reputation” so explicitly will make it very hard for them deny the issue in front of a judge. Also I disagree with the blogger that this approach makes sense but the implementation is flawed; the whole concept is wrong period.

    Any developer of a brand new product or utility would be damaged by this idiotic, indiscriminant “popularity” based mechanism; further damaging innovation and new ideas. This is the kind of idea a high-school level marketing bimbo would come with.

    Symantec’s products are resources hogs and indicative of a very sick, bloated and incompetent management structure.

  20. David said on September 12, 2012 at 6:24 pm
    Reply

    I also had the same problem whenever I installed a new software I got the WS.Reputation.1 and I thought it would contains some virus but it is not the actual case so thanks for the clarification.

  21. jimmy said on August 24, 2012 at 1:04 am
    Reply

    I ditch symantec and tried free antivirus such as comodo, avast, zenok and ended up with microsoft security essential..
    no more false positive ;)

  22. Mike Gledhill said on August 14, 2012 at 4:53 pm
    Reply

    You CAN turn off this feature.

    In the horrible Corporate version of the software, its under Status \ “Virus and Spyware Protection” \ Options, then “Change Settings” and turn off all the rubbish in the Download Insight settings.

    In our company, we found that it was getting blocking our employees from installing in-house Excel Addin installations (.exe files) even though they were code-signed and on our intranet, and we had “Automatically trust any file downloaded from an intranet website” ticked.

    The worst part is that it just blocks the files – no warning or error is displayed, and the user is left wondering if they really did click on the download link.

    That’s just nasty software design.

  23. Raj said on August 14, 2012 at 10:48 am
    Reply

    Nice post, but this is only useful to actual users and not very much to software developers. Can you guys please add how software developers can save themselves with this flagging ?

  24. onlymy2cents said on August 3, 2012 at 8:48 pm
    Reply

    Older versions of Norton, I hated, until the 2010 product line came out. I love it. I refuse to disable any functions on it because with teenagers in the house you can’t disable anything that has to do with downloads — you are asking for immediate problems to do so. I do say if you know with certainty the program is a false positive, then temporarily turn off the option as noted above, or restore the file (your choice) and use it. Don’t just turn off your protection or delete your Norton if you like the program — I love the New Norton line and haven’t been infected since I began using it. I have used everything else prior to switching back to Norton in 2010 and nothing has gotten in (in conjunction with using my router to block out known sites that my kids download viruses from.

  25. Luis Perez said on July 5, 2012 at 5:24 pm
    Reply

    I am a programer, i say to my clients “Please Uninstall Norton”, i know my programs and 100% not a virus and norton automatic send to trash all program updates, with out a mensaje, this is an error! Sorry Norton your system going to Trash To

  26. Barry Barcrest said on July 5, 2012 at 4:50 pm
    Reply

    One of my users has just mentioned this to me after downloading the latest version of E-Touch Jukebox that I develop. A search revealed this page, I was unaware what was going on. I did tell them that it passes a scan with Syamntec Endpoint and McAffee but I don’t think they were convinced.

    This could become and issue for me down the line with user asking for refunds :(

  27. Ron said on June 28, 2012 at 7:46 am
    Reply

    NIS Version 19.7.1.5 solves almost all of the problems which Sid (above) points to. NirSoft’s Utilities are infrequently quarantined with this version and, when they are quarantined, it is straightforward to restore the file and exclude it from being quarantined in the future. This is a greatly improved product.

  28. berttie said on June 25, 2012 at 11:57 pm
    Reply

    @ Sid,

    Symantec might begin to see it as its problem if a smart lawyer organized a class action. The headlines would hurt more than the money.

  29. Wayfarer said on June 25, 2012 at 9:30 pm
    Reply

    One more reason to stay away from Norton – on a succession of PCs I always found it caused me far more trouble than it was worth.

  30. mary said on June 25, 2012 at 2:38 pm
    Reply

    its been brougt to my attention following information i gathered that it is an idealistic and psychological game initiated by companies to divert consumers perception of a product as it is branded new yet old.this article is quiet idealistic and i conqur.

  31. Sid said on June 25, 2012 at 11:48 am
    Reply

    I found this system in late 2010 actually, in their 2011 product line. It is mighty annoying & every time I setup any Norton product, one of the first things I do is, exclude locations & folders with such software from their auto-protect, sonar, et al protection systems.
    Its the only remedy, as first, Norton is the only product which runs without slowing down my Vista system – I am unable to use anything else!
    Second, its arrogance of such big companies. They simply refuse to acknowledge such issues & expect the devs and companies developing such software to contact them as its not Symantec’s problem!!

    Like, I always face problems with Nirsoft’s tools & Norton antivirus. Many of Nirsoft’s programs are detected falsely as viruses and Trojans, and not just WS.Reputation.1. There is no help in forums & more than the employees of Symantec, the several high-profile users with a lot of rep (read fawners) will point out enthusiastically, how this is not Symantec’s issue.
    You’re correct in pointing this out & let’s hope attention from bloggers like yourself can rouse Symantec to fix this long flawed system.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.