Epic fail: Auto-deleting files based on their ‘reputation’

What do you do when a widely used antivirus product reports a false positive on your new, valid, signed, virus-free software download — and then goes ahead without asking and terminates it with extreme prejudice?

[ Now more than ever, you need InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Yesterday I posted this notice on my software company’s message board:

Several of our users have reported that today Norton Insight is flagging our patch files as possible threats with WS.Reputation.1. This is a false positive.

If you use Norton Insight, turn it off before downloading and installing our patches. Also please tell the Norton people that the files are fine.

Note: WS.Reputation.1 is almost meaningless.

See https://community.norton.com/t5/Norton-Internet-Security-Norton/Clarification-on-WS-Reputation-1-detection/td-p/232155

Excerpt:

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses “the wisdom of crowds” (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

Now, I can sympathize with any scheme that helps to make users safer from malware. But “the wisdom of crowds” means absolutely nothing when applied to a fresh software patch.

Sheesh!

This article, “Epic fail: Auto-deleting files based on their ‘reputation’,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.