4coder » Forums » WS.Reputation.1 Consider digital signing of window's exe
godratio
Ray Garner
39 posts
#12442 WS.Reputation.1 Consider digital signing of window's exe
2 weeks ago

Hey my company uses Norton anti virus.

Your exe always gets flagged when i download at the office computer.
Can you get your exe digital signed so Norton will stop flagging it.

This is a slight distribution problem but would help me and anyone that is stuck with Norton and does not have control of the white list settings.

mmozeiko
Mārtiņš Možeiko
1404 posts
1 project
#12443 WS.Reputation.1 Consider digital signing of window's exe
2 weeks ago Edited by Mārtiņš Možeiko on July 11, 2017, 11:48 p.m.

Its not only "distribution problem", but will also require Allen to pay real money for certificate every year. OS trusted certificates are not free. I don't know what is the price now, but few years ago it was in range of 200-300$/y.

And not many people care about it. exe file authenticity can be validated much simpler and for free - download from trusted location (https), gpg signature, etc..

The ones who do care about Windows builtin mechanism to verify exe signatures - they should simply sign it themselves. You can easily buy certificate on your own, and then sign whatever exe you want :)
Croepha
David Butler
40 posts

I love pretty much anything technical, whether it be programming, networking, hacking or electronics.

#12444 WS.Reputation.1 Consider digital signing of window's exe
2 weeks ago Edited by David Butler on July 12, 2017, 4:35 a.m.

I wonder if a quick fix would be for Allen to distribute a password protected ZIP... that might be enough to keep Norton from catching it midstream... and the password could be anything... like "4coder_is_awesome" or something...

Maybe you could do a test sometime, just make a zip file with 4coder in it and set a password and try to download it from dropbox web url or something....

Btw, I have never used it, but people that I know that have used it complain about Norton Internet Security a lot... and historically its flaws have been exploited to attack users...

Im assuming of-course that its the "downloading" part that you are having trouble with, if you are on a system that can only run whitelisted binaries, then Im wondering, how are you running your own compiled code?


Segmentation fault
mmozeiko
Mārtiņš Možeiko
1404 posts
1 project
#12445 WS.Reputation.1 Consider digital signing of window's exe
2 weeks ago Edited by Mārtiņš Možeiko on July 12, 2017, 6:09 a.m.

Croepha:
I wonder if a quick fix would be for Allen to distribute a password protected ZIP... that might be enough to keep Norton from catching it midstream...

Then it will depend on unzipping software that user uses.
Explorer builtin zip support will mark all extracted files to come from same "source" as zip file. In this case internet, so they will be untrusted.
If you would use custom zip software like 7-Zip, then it will not do such thing, and exe files will look like normal exe files without any "source" tags attached.

Im assuming of-course that its the "downloading" part that you are having trouble with, if you are on a system that can only run whitelisted binaries, then Im wondering, how are you running your own compiled code?
Windows has this concept of security zones (or whatever it is actually called, I'm not sure). If file is downloaded from internet, it is marked to come from not-so secure zone. Which can be checked by any other software. Compiler created exe files come from same local machine, so they better trusted.
Telash
Mikael Johansson
38 posts
1 project
#12447 WS.Reputation.1 Consider digital signing of window's exe
2 weeks ago

Why not just rename the .exe to .ex (or whatever) and then zip that? That is how I send stuff through gmail that dont accept even ziped .exe
Then the reciever just rename it to .exe again.
godratio
Ray Garner
39 posts
#12448 WS.Reputation.1 Consider digital signing of window's exe
2 weeks ago Edited by Ray Garner on July 12, 2017, 10:22 a.m.

I will give some of these ideas a shot just for charms sake.

However the problem comes when trying to execute the exe not in dowloading.

Its caught when I try to execute the exe from a mouse click or command line execution.

I turned the setting down as low as possible.

According to the norton site its only caught due to not having enough users on the Symantec network. So you can get it white listed from the WS.Reputation.1 by directly contacting Symantec it seems.

https://www.symantec.com/security...eup.jsp?docid=2010-051308-1854-99

https://community.norton.com/en/f...ification-wsreputation1-detection

Per this info. These kinds of things make it harder to distribute and use other people's software.
mmozeiko
Mārtiņš Možeiko
1404 posts
1 project
#12449 WS.Reputation.1 Consider digital signing of window's exe
1 week, 6 days ago

Telash:
Why not just rename the .exe to .ex (or whatever) and then zip that?

Extension does not matter. Once browser downloads something (exe, txt, zip - doesn't matter) - it marks it as "insecure" file. You can rename as you want - this property won't change. You can manually remove it though.

godratio:
However the problem comes when trying to execute the exe not in dowloading.
Its caught when I try to execute the exe from a mouse click or command line execution.

Of course. But how do you think the Norton checks if exe is not-so secure or good? It checks that attribute that was assigned during download from internet.

You can manually remove it. It is stored as NTFS alternate stream. You can use streams.exe to view and delete them.
Basically do following:
1) download exe/zip whatever from internet
2) examine NTFS alternate streams - you should see it has one
3) delete the stream
4) run the executable - Norton will not complain anymore, because it will think this is local file that possible you created (by compiler for example).
godratio
Ray Garner
39 posts
#12454 WS.Reputation.1 Consider digital signing of window's exe
1 week, 6 days ago

mmozeiko:

You can manually remove it. It is stored as NTFS alternate stream. You can use streams.exe to view and delete them.
Basically do following:
1) download exe/zip whatever from internet
2) examine NTFS alternate streams - you should see it has one
3) delete the stream
4) run the executable - Norton will not complain anymore, because it will think this is local file that possible you created (by compiler for example).


I did all the above steps and that was my original intuition. I did not know about streams before now I know. Was sure it was going to work....
but even after removing all the streams for all the folders in the 4coder directory somehow norton still flags it.
I wonder if Norton keeps an internal cache of all downloaded files.
mmozeiko
Mārtiņš Možeiko
1404 posts
1 project
#12455 WS.Reputation.1 Consider digital signing of window's exe
1 week, 6 days ago

Ok, then it seems they have changed/improved something... This for sure was working ~1y ago, when I tried it on my corporate windows laptop.
Croepha
David Butler
40 posts

I love pretty much anything technical, whether it be programming, networking, hacking or electronics.

#12456 WS.Reputation.1 Consider digital signing of window's exe
1 week, 6 days ago

What happens if you just read the bytes from the EXE and write them to a new file?


Segmentation fault
Mr4thDimention
Allen Webster
253 posts
2 projects

Heyo

#12457 WS.Reputation.1 Consider digital signing of window's exe
1 week, 5 days ago

I really don't know the first thing about how Norton works so I don't have much to contribute. So thanks to everyone hashing this stuff out here.
mmozeiko
Mārtiņš Možeiko
1404 posts
1 project
#12459 WS.Reputation.1 Consider digital signing of window's exe
1 week, 5 days ago

You don't need to know how Norton works to "fix" this. There two options to fix this:

1) you sign exe/dll files you are building and releasing. That will require buying code signing certificate (a bit different than regular https certificate). It typically is valid for 1 year, then you need to renew it.

2) you educate users to verify authenticity of exe files with free and open-source tools - using gpg, or just providing sha hash over https.
godratio
Ray Garner
39 posts
#12466 WS.Reputation.1 Consider digital signing of window's exe
1 week, 5 days ago


So perhaps Patreon is not giving out secure download links?

I really want to know how Norton can flag these files where could the attributes be hidden?

When I get desperate enough I might try some more extreme measures.

You could also bypass this is if you maybe sent an email to Symantec about getting put on the whitelist for WS.Reputation.