The Norton / Symantec WS.Reputation.1 False Positive

pictureSystem security – keeping your computer adequately defended against viruses, malware and other barbarians at the gate – is a complex and oftentimes bedeviling problem. Too little security will find you part of a botnet, or providing your credit card information to every hacker in Afghanistan. Too much security will make your computer excessively paranoid, to the point of your not getting anything useful done with it.

You can render your system wholly impervious to infection by software viruses by the simple expedient of switching it off and leaving it that way – but this is hardly a workable resolution to the issue for most of us.

If you use Norton Antivirus to defend your computer against the machinations of cybercretins, you may have encountered a particularly intractable issue upon installing new software or updates, such as the ones made available for our products. Norton might alert you to a threat it refers to as WS.Reputation.1 when you download the installers in question… and then delete or quarantine your downloads.

In fact, WS.Reputation.1 isn’t a virus. It’s not even a particularly tangible threat. It will, however, likely make you nervous and twitchy, and deny you access to a lot of downloadable products and updates thereto until you come to appreciate what it’s up to.

You’re Not Going to Believe This…

While Symantec isn’t entirely forthcoming as to the details of this feature of its security products, you can find a brief description of it at the Symantec web page. Norton appears to keep track of the frequency with which its users install downloadable products. As the number of users who download and install specific products increases, so too does the “reputation” of the installers in question.

When you attempt to download and install software with Norton Antivirus running, your downloaded installer will be compared against Norton’s reputation database. Installers without a sufficient “reputation” in this regard will cause Norton to display a warning – an example of which is illustrated at the beginning of this post – and remove your download before it can be installed.

A low reputation score in the eyes of Norton doesn’t indicate that there’s anything potentially nasty about downloaded software… only that it’s sufficiently new as to have been downloaded and installed by relatively few other users.

It’s important to keep in mind that Norton Antivirus isn’t actually looking at the contents of the software it surveys for its reputation check. It just generates a unique key value for each installer, and counts the number of times the same file is downloaded. As such, it doesn’t appear to know, for example, that our GIF Construction Set Professional software has been around since 1995. As far as it’s concerned, every update of GIF Construction Set is a new product, and on the day it’s released it has a reputation score of zero.

No Way Out

As of this writing, Symantec doesn’t appear to offer a workable avenue for software developers such as ourselves to prevent uncounted thousands of our users from being frightened by spurious WS.Reputation.1 alerts. Upon digging into the issue, we did find a form at the Symantec web site that allows the subjects of unwarranted WS.Reputation.1 alerts to apprise Symantec of their benign nature. However, in our experience it takes about a week for whoever’s reading the postings to this page to respond to them, during which time the installers in question will have attained a sufficient reputation score to shut down Norton’s WS.Reputation.1 alerts… after having agitated a great many of our users, and scared away lots of potential new customers, of course.

We invariably receive the following message in response to a submission to Symantec’s WS.Reputation.1 page:

The Symantec Insight Dispute team has reviewed your recent submission to the Insight Dispute Submission form Webpage form for "GIF Construction Set Professional 4." Our analysts have not been able to reproduce the issue your report. Our test show that the program you submitted has a good reputation. This could be because the status of this program changed automatically between the time you submitted and now.

We have concluded our research of your submission and will take no further action.

This is a somewhat vexing problem, and as far as we’ve been able to determine, one without a solution. It’s been vexing a lot of Norton’s users, too, as can be seen at the Norton support forum. This thread runs for miles, and gets progressively more incendiary as users of the Norton Antivirus learn what the WS.Reputation.1 alert represents, and why they’ve been made to jump through so many hoops over so questionable a threat.

There doesn’t appear to be a way to disable WS.Reputation.1 checking in Norton Antivirus.

We don’t use Norton Antivirus in house, and as such, we’re unable to provide specific assistance with its operation.

All the software that’s uploaded to our on-line servers is checked with AVG, which is widely regarded as the “gold standard” in virus-checkers. It’s also an extremely well-designed security application, in that it will permit itself to be configured to disable those of its options you feel are excessively paranoid.

If you encounter a WS.Reputation.1 alert when you attempt to download something from one of our servers, we recommend that you disable Norton Antivirus, and download the installer again to work around the problem.

Afterword: Shortly after the initial release of this posting, someone from Symantec contacted us, offering to assist us in resolving the WS.Reputation.1 issue. While this is still something of a work in progress, he offered the following advice for users of Norton Antivirus.

A couple of options are immediately available to any of our common customers who see the problem. The file is not deleted, but rather stored in quarantine. So the user can restore it from quarantine it. Insight will not attempt to remove it after that.

To avoid the issue on a download, the technology itself can be turned off. In the UI the technology is called Download Intelligence… knowing that that is the name of the technology, a user can from the main UI easily turn off Insight for the time needed to download a file.

Share this post:
  • Digg
  • del.icio.us
  • Google
  • StumbleUpon
  • Technorati
  • Reddit

Leave a comment

(Please note: Support issues can't be addressed here. If you have questions
or if you you need assistance with our software, please visit our support page.)