Norton File Insight marking installer as a threat - antivirus

Norton Antivrus is marking an installer of mine, foobar_revision_1922.exe improperly as a threat because it has Very Few Users ( less than 5 in the Norton Community, WS.Reputation.1 ) and places the file in quarantine. Has anyone encountered this situation?
What is the best way to prevent Norton from flipping out?
This seems tedious and a Catch-22.
For future releases, such as foobar_revision_2116.exe, I would need to have five trusted users of the new version to pass quarantine.
If I rename all releases to a common filename foobar_installer.exe than this removes the useful version information and I imagine that the filesize is stored by Norton and this would fail anyway.
Suggestions?
Thanks.
Edit:
I have found the answer after a little more searching - https://submit.symantec.com/whitelist/. Symantec has a whitelist program
Edit 2
Norton offers Apple-like response times:
We have received your recent request
to Symantec's Software White-list
Request program. Complete requests
with all necessary information will be
processed immediately. Once a
determination has been made regarding
your request you will be notified via
e-mail as to the decision made and the
next steps, if any. For a Software
White-list request, Symantec will
target a response of advising you of
our final determination within 3
weeks. This timeframe is subject to
Symantec being supplied with all the
necessary information to allow for a
proper determination. Requests of
incomplete information may result in a
delay of the final determination. Any
request for additional information
regarding your submission will be sent
to the contact email address you
provided at the time of submission.

I had a similar problem: Norton File Insight flagging my posted MSI as a possible threat. I did the white-list application and it was approved fairly quickly (I believe within a day or two). It was probably approved quickly because it was digitally signed allowing the Norton team to confirm the file quickly.
But Norton File Insight, like IE9's new SmartScreen Filter, is not very friendly to small software developers. Norton File Insight just does not recognize that my MSI is digitally signed with a certificate from a trusted certificate authority. AND, I lost my white-listed status as soon as I posted an update to the MSI. I post updates probably 20 times a week so I think Norton File Insight will keep giving my customers grief.
And of course it is perpetually stuck on Very Few Users have downloaded this.
So the solution is to keep petitioning Symantec to get its act together and to keep filing White-List requests. Hardly ideal.

Related

Random email addresses being signed up to my website

Over the past few months random email addresses, some of which are on known spam lists, have been added at the rate of 2 or 3 a day to my website.
I know they aren't real humans - for a start the website is in a very narrow geographical area, and many of these emails are clearly from a different country, others are info# addresses that appear to have been harvested from a website, rather than something a human would use to sign up to a site.
What I can't work out is, what are reasons for somebody doing this? I can't see any benefit to an external party beyond being vaguely destructive. (I don't want to link to the site here, it's just a textbox where you enter email and press join).
These emails are never verified - my question isn't about how to prevent this, but what are some valid reasons why somebody might do this. I think it's important to understand why malicious users do what they do.
This is probably a list bombing attack, which is definitely not valid. The only valid use I can think of is for security research, and that's a corner case.
List bomb
I suspect this is part of a list bombing attack, which is when somebody uses a tool or service to maliciously sign up a victim for as much junk email as possible. I work in anti-spam and have seen victims' perspectives on this: it's nearly all opt-in verifications, meaning the damage is only one per service. It sounds like you're in the Confirmed Opt-In (COI) camp, so congratulations, it could be worse.
We don't have good solutions for list bombing. There are too many problems to entertain a global database of hashed emails that have recently opted into lists (so list maintainers could look up an address, conclude it's being bombed, and refuse to invite). A global database of hashed emails opting out of bulk mail (like the US Do Not Call list or the now-defunct Blue Frog's Do Not Intrude registry but without the controversial DDoS-the-spammers portion) could theoretically work in this capacity, though there'd still be a lot of hurdles to clear.
At the moment, the best thing you can do is to rate-limit (which this attacker is savvy enough to avoid) and use captchas. You can measure your success based on the click rate of the links in your COI emails; if it's still low, you still have a problem.
In your particular case, asking the user to identify a region via drop-down, with no default, may give you an easy way to reject subscriptions or trigger more complex captchas.
If you're interested in a more research-driven approach, you could try to fingerprint the subscription requests and see if you can identify the tool (if it's client-run, and I believe most are) or the service (if it's cloud-run, in which case you can hopefully just blacklist a few CIDR ranges instead). Pay attention to requesters' HTTP headers, especially the referer. Browser fingerprinting it its own arms race; take a gander at the EFF's Panopticlick or Brian Kreb's piece on AntiDetect.
Security research
The only valid case I can consider, whose validity is debatable, is that of security research (which is my field). When I'm given a possible phishing link, I'm going to anonymize it. This means I'll enter fake data rather than reveal my source. I'd never intentionally go after a subscription mechanism (at least with an email I don't control), but I suppose automation could accidentally stumble into such a thing.
You can avoid that by requiring POST requests to subscribe. No (well-designed) subscription mechanism should accept GET requests or action links without parameters (though there are plenty that do). No (well-designed) web crawler, for search or archiving or security, should generate POST requests, at least without several controls to ensure it's acceptable (such as already concluding that it's a bad actor's site). I'm going to be generous and not call out any security vendors that I know do this.

Are there any advantages in signing an application?

I looked recently into signing my application. The price is AT LEAST one hundred euros/dollars per year for EV (anything less than EV seems pointless anyway).
My application uses a basic installer (self-extracting WinRar) that requires no admin password. But the drawback of this is that I cannot install the app in Program Files.
The actual problem here is that you will find lots of resources that tell you how to sign your app but not so many (at all) that tell you if there is any real advantage. For example: do the regular PC users care when they install and app and Windows shows "Publisher: unknown" or they just quickly hit the OK button to have the installation process done as soon as possible?
Honestly, I don't think that the user reads and cares about "unknown". That might stop him is actually the yellow color (instead of blue).
So, my question for those that already did code signing for their apps is: have you seen an improvement (downloads, installations, sales) after signing your app?
Should I invest any time/money/energy in this?
Update: It seems that having the app signed is not enough. After that, you have to keep fighting to improve your reputation factor, otherwise, Microsoft SmartScreen might pop-up: https://mkaz.blog/code/code-signing-a-windows-application/
For those interested in prices, here a few random offers sorted by price. I will also post the documents required:
Signing a Windows EXE file
For those interested in prices (and few extra tips), here a few random offers sorted by price.
The documents required (by Sectigo, in my case) for obtaining an OVL are:
company's registration certificate
a photo of you holding your ID close to your face
a phone landline so they can call you for verification (it as actually a robot calling you to give you a number, that you have to enter then into the browser).
The whole verification process (especially phone) took like 2 months because they involved some kind of automatic calling that did not work on my line/phone?.
I will post soon the number of downloads necessary to get reputation for your newly signed exe file. At this point, I can tell you that 1000 downloads are not enough.

How to stop antivirus false positives everytime we re-release software?

Windows Defender and AVG/Avast pickup our software application as a virus/false positive everytime we release. We have a code signing certificate and add taggant as well.
Every time we release the software we have to go through the process of doing a false positive form on multiple AV vendors sites.
How can we get our company code signing cert marked as safe or avoid this time consuming false positive report process on each release?
Edit: Is there any premiere support we can pay for to have this done automatically?
Edit2: we actually had our certificate revoked due to "malware distribution" as a result of these false positives. It seems there is no recourse other than to buy another one.
Signing cert doesn't help most of the time, it's probably a coding pattern which is similar to a virus listed in them, best you can do is contacting the AV to whitelist you to get past through that.
My recommendation is to contact with the AV vendors and told them your problem. Probably your software have some strings or patters defined that potentially trigger the heuristics of the AV. You can try to find that strings easily in your base code and base64/xor/encrypt them and see what happens with the AV, that may help to solve your problem
While it is certainly possible that your software shares some characteristics with know malware, I would guess that it is a "cloud" detection.
Cutting through the marketing speak, it basically means that (among other possible caues) your file is flagged as suspicious if it has not been seen on many other PCs.
Try removing any thing that could activate antivirus flags, like self-extracting, UPX, file encryption, suspicious website requests, or suspicious behaviour.
Why to remove these?
self-extracting is triggered because it's a suspicious behaviour (not really normal to do)
UPX is detected as some malwares try to hide the malware by being compressed by UPX, as antiviruses need to decompress it.
File encryption may be easily detected as Riskware / EncoderTool / Ransomware
Suspicious websites: Evit downloading files from strange URL.
I had this problem with a program auto-update, an antivirus detected it as a TrojanDownloader.
If your program doesn't do any of these things, I can't help you more, as that is a problem that the programmer community has.
I wish that could help

Bittorrent sync approval process not working properly

I created a link to share a folder, deselecting the option that peers I invite must be approved on this device.
The other person used the link, and received a message that the "Sender needs to approve access to this folder based on these identity details".
My bittorrent sync window isn't showing me anything to indicate that someone is waiting on approval. I've never shared a folder via a link before (always just used keys directly on previous versions), so I have no idea how the program is supposed to prompt me for approval, and I can't find any documentation indicating how this prompt would be provided.
So there seem to be two problems here:
1. Even though I said the link doesn't require approval, they are being told that it does.
2. I don't have any way to approve it.
What's going on here? How do I fix this?
Thanks.
The most common cause of this is one of the systems having clock time out of sync too much, usually resetting your computers time using an online time server resolves it.

Open links from newly received emails automatically

is there are program or script or anything that will make my email client/webmail to open webpage links from newly received emails automatically?
If someone knows or can make a add-on for thunderbird or make this to work I don't mind paying. Just I need links that are in emails I receive to be automatically opened in default internet browser tabs.
All I can say is I very very much doubt it. If there ever was one created it would most probably be removed by most download source providers as there is a fairly huge security risk there.
Additionally, aside from the security factor you have a simple load factor to account for. I regularly make newsletters for clients, each with a link to a text version, a online version, a link for the logo and so forth... So if you did have such a plugin you would also open these links, which seams crazy. Additionally, remember the Unsubscribe link for emails, on some you are asked to confirm on others you click(/open), your taken off. Which would be very undesired.
I do understand you probably have a reason X for doing this, like because its a in house email system which creates reports and it does this and does that etc. I think most people here do understand there are sometimes very odd usage cases for things, but I don't think anyone will be able to assist you here, sorry!