WS.Reputation.1 Consider digital signing of window's exe

Hey my company uses Norton anti virus.

Your exe always gets flagged when i download at the office computer.
Can you get your exe digital signed so Norton will stop flagging it.

This is a slight distribution problem but would help me and anyone that is stuck with Norton and does not have control of the white list settings.

Its not only "distribution problem", but will also require Allen to pay real money for certificate every year. OS trusted certificates are not free. I don't know what is the price now, but few years ago it was in range of 200-300$/y.

And not many people care about it. exe file authenticity can be validated much simpler and for free - download from trusted location (https), gpg signature, etc..

The ones who do care about Windows builtin mechanism to verify exe signatures - they should simply sign it themselves. You can easily buy certificate on your own, and then sign whatever exe you want :)

Edited by Mārtiņš Možeiko on
I wonder if a quick fix would be for Allen to distribute a password protected ZIP... that might be enough to keep Norton from catching it midstream... and the password could be anything... like "4coder_is_awesome" or something...

Maybe you could do a test sometime, just make a zip file with 4coder in it and set a password and try to download it from dropbox web url or something....

Btw, I have never used it, but people that I know that have used it complain about Norton Internet Security a lot... and historically its flaws have been exploited to attack users...

Im assuming of-course that its the "downloading" part that you are having trouble with, if you are on a system that can only run whitelisted binaries, then Im wondering, how are you running your own compiled code?


Edited by David Butler on
Croepha
I wonder if a quick fix would be for Allen to distribute a password protected ZIP... that might be enough to keep Norton from catching it midstream...

Then it will depend on unzipping software that user uses.
Explorer builtin zip support will mark all extracted files to come from same "source" as zip file. In this case internet, so they will be untrusted.
If you would use custom zip software like 7-Zip, then it will not do such thing, and exe files will look like normal exe files without any "source" tags attached.

Im assuming of-course that its the "downloading" part that you are having trouble with, if you are on a system that can only run whitelisted binaries, then Im wondering, how are you running your own compiled code?
Windows has this concept of security zones (or whatever it is actually called, I'm not sure). If file is downloaded from internet, it is marked to come from not-so secure zone. Which can be checked by any other software. Compiler created exe files come from same local machine, so they better trusted.

Edited by Mārtiņš Možeiko on
Why not just rename the .exe to .ex (or whatever) and then zip that? That is how I send stuff through gmail that dont accept even ziped .exe
Then the reciever just rename it to .exe again.
I will give some of these ideas a shot just for charms sake.

However the problem comes when trying to execute the exe not in dowloading.

Its caught when I try to execute the exe from a mouse click or command line execution.

I turned the setting down as low as possible.

According to the norton site its only caught due to not having enough users on the Symantec network. So you can get it white listed from the WS.Reputation.1 by directly contacting Symantec it seems.

https://www.symantec.com/security...eup.jsp?docid=2010-051308-1854-99

https://community.norton.com/en/f...ification-wsreputation1-detection

Per this info. These kinds of things make it harder to distribute and use other people's software.

Edited by Raytio on
Telash
Why not just rename the .exe to .ex (or whatever) and then zip that?

Extension does not matter. Once browser downloads something (exe, txt, zip - doesn't matter) - it marks it as "insecure" file. You can rename as you want - this property won't change. You can manually remove it though.

godratio
However the problem comes when trying to execute the exe not in dowloading.
Its caught when I try to execute the exe from a mouse click or command line execution.

Of course. But how do you think the Norton checks if exe is not-so secure or good? It checks that attribute that was assigned during download from internet.

You can manually remove it. It is stored as NTFS alternate stream. You can use streams.exe to view and delete them.
Basically do following:
1) download exe/zip whatever from internet
2) examine NTFS alternate streams - you should see it has one
3) delete the stream
4) run the executable - Norton will not complain anymore, because it will think this is local file that possible you created (by compiler for example).
mmozeiko

You can manually remove it. It is stored as NTFS alternate stream. You can use streams.exe to view and delete them.
Basically do following:
1) download exe/zip whatever from internet
2) examine NTFS alternate streams - you should see it has one
3) delete the stream
4) run the executable - Norton will not complain anymore, because it will think this is local file that possible you created (by compiler for example).


I did all the above steps and that was my original intuition. I did not know about streams before now I know. Was sure it was going to work....
but even after removing all the streams for all the folders in the 4coder directory somehow norton still flags it.
I wonder if Norton keeps an internal cache of all downloaded files.
Ok, then it seems they have changed/improved something... This for sure was working ~1y ago, when I tried it on my corporate windows laptop.
What happens if you just read the bytes from the EXE and write them to a new file?

I really don't know the first thing about how Norton works so I don't have much to contribute. So thanks to everyone hashing this stuff out here.
You don't need to know how Norton works to "fix" this. There two options to fix this:

1) you sign exe/dll files you are building and releasing. That will require buying code signing certificate (a bit different than regular https certificate). It typically is valid for 1 year, then you need to renew it.

2) you educate users to verify authenticity of exe files with free and open-source tools - using gpg, or just providing sha hash over https.

So perhaps Patreon is not giving out secure download links?

I really want to know how Norton can flag these files where could the attributes be hidden?

When I get desperate enough I might try some more extreme measures.

You could also bypass this is if you maybe sent an email to Symantec about getting put on the whitelist for WS.Reputation.