Category Archives: Security

Overzealous malware hunter: Norton Internet Security 2010

I‘m a happy user of Norton Internet Security 2010 (referrred to as NIS 2010 henceforth). I have never been infected with any nasties primarily due to a combo of taking common-sense precautions (like not downloading “free ringtones”, “sexy videos” or any “codecs” to view said sexy videos), being aware of my internet surroundings and having NIS take care of things when I’m lax. However, NIS 2010 has issues that I need to vent about.

NIS 2010 has this nifty feature called Insight Network Scan where Norton consults its community/database on a file it’s not sure about. By default, it appears that if a file has been used by less than 10 users (not sure how they can definitively say this because they may be counting only systems with Norton Internet Security 2010 installed, who knows?), Norton classifies the file as a risk, specifically as WS.Reputation.1 or Reser.Reputation.1. Here are some specific and notable instances of Norton Insight ensnaring ‘innocent’ files:

  1. Wireshark x64 v. 1.2.6: On the 28th of January 2010, I downloaded the 64-bit version of Wireshark and I got alerted that the file was Suspicious and the risk it posed was called “Reser.Reputation.1”. After complaining on Norton’s Facebook page, some updates were pushed out and the “Reser.Reputation.1” classification was removed.
    wireshark.png
  2. FastPicture Viewer Codec Pack v. 2.1R3: On 26th of May 2010, I purchased this Codec Pack and downloaded the file. Norton complained and deleted the file after calling the risk “WS.Reputation.1”. This case was actually interesting because I contacted the developer via email to verify that their software hadn’t been somehow tampered with and I got a semi-humorous lecture about my use of internet security software. 🙂 They assured me their software was fine, provided me with VirusTotal links, etc. I also went ahead to notify & they instructed me on how to submit a false positive report.
    fastpicture-nortonissue-flattened.png
  3. Fraps (paid version) v. 3.2.3: On the 16th of June 2010, I learned of a new version of Fraps via Neowin and I went to download this latest copy. Norton deleted this file because it was *gasp* a risk, having been used by less than 10 people in the Norton “community”. This time, the Fraps file’s risk was termed “WS.Reputation.1”. I wasn’t even given the opportunity to whitelist the particular executable that I downloaded. Eventually, I had to temporarily pause Norton’s “antivirus protect” service just so I could download and install the file! As usual, I notified @NortonOnline and filed a false positive report.
    fraps.png

Now, up till now, my impression of the “xx.Reputation.1 risk” classification has been that it’s a minor disturbance. Everytime this happened with a file I cared about (Wireshark, Fraps, etc), I notified @NortonOnline (their official twitter account) and filled out a dispute form on their site. and I can certainly appreciate why this feature was put in place, but clearly the feature is becoming a little too trigger-happy. So far, the files that have been caught in this dragnet have been files I downloaded from the internet. However, today (06/27/2010), Norton Internet Security 2010 went too far.

I learned that Firefox 3.6.6 had been released via Twitter and I quickly went to upgrade my install of Firefox from 3.6.4 to 3.6.6. NIS 2010 didn’t complain about the upgrade and I got the standard post-install welcome page from Mozilla about the successful upgrade. Fast forwarding to about ~ 4.20pm (EST) today, I got a prompt from NIS 2010 that I had never seen before:
nortonprompt.png

I was surprised because I hadn’t even received notification of a suspicious file being found. So, I reviewed the “Recent History and found out that NIS 2010 had slapped the “WS.Reputation.1” tag on 3 .dll files in Mozilla Firefox‘s install folder on my C: drive (freebl3.dll, softokn3.dll and nssdbm3.dll). From the NIS 2010 interface when reviewing the history, it’s not readily apparent on how to “reverse” any decisions the Insight engine has made so I reluctantly restarted my computer.
ffdlls.png

Since restarting my computer at ~7.30pm (EST), Firefox refused to start and crashed every single time.
ffcrashes-06272010.png
I’m pretty sure it wasn’t happy that those 3 .dll files were deleted by NIS 2010. In fact, those files are pretty important to Firefox (duh). Anyway, after getting tired of having IE 8 as my default browser and feverishly updating NIS 2010 definitions, I reinstalled Firefox 3.6.6. and *knock on wood* it hasn’t mysteriously decided that certain dll files are suspicious.

*That* was a mouthful. I’m sure I’ll have more of these false positives before the month is over. I’d rather NIS 2010 err on the side of caution every time, but they’re running the risk of me/users getting used to temporarily turning off the software just to install stuff. The end. 😛

In an automated email to me, Norton recommended:

  1. Digitally signing your binaries.
  2. Submitting your software to their Whitelist program here: https://submit.symantec.com/whitelist/

norton-rec.png