Symantec Norton Antivirus reports Fast video cataloger as a false positive

Yesterday we released version 3.20 of Fast video cataloger. When I release a new version with important enough changes, I always try to send an email to our customers to let them know about the update and that they can get it for free.

This time, almost immediately, I got this email back from one of our Norwegian customers:

“My antivirus program (Norton) wrote that this program (fvc_320.2xe) was a threat and removed it. The threat was named: WS.Reputation.1

It’s really great that he took the time to let me know, but terrible that Symantec’s Norton antivirus gives a false positive. Norton is pretty expensive compared to their competition, and since it slows down your computer so much i stopped using it years ago ( If you are interested, the Antivirus I currently use is AVG ).

First thing, lets check if this is detected as a virus by other virus scanners.

Virus total is a pretty good online virus scanner. You can upload a file to test and it runs the file through more than 50 different virus scanner. Here is the result from running my executable through their service.

https://www.virustotal.com/en/file/bac864873728b83442eeae6bfe156ae173012bb339577f0354541906a6e7416b/analysis/1405708396/

So, not detected as infected by any of the 52 virus scanner, that is a pretty good indication that its not infected.

I guess there is a remote possibility that this is a new virus and Symantec’s antivirus program was just first to detect it. So after some digging around i found this:

“WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses “the wisdom of crowds” (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.”

So what this is basically saying is that not many people has run this current executable before… Duhh, its a new file, I just compiled it, this is always going to happen!

So either their detection is using some type of hash ( unique way to encode the executable as one large number ) and checks how many people have run that file. In this case this is going to happen whenever I release a new version as it can not have any prior reputation.

The other option is that they encode the URL to the file. This will not trigger updated files except in my case since the installer is named with the version number and will always generate a unique URL whenever a new version is released. I do hope they don’t encode that URL as that would be terrible –  any new infected file would not trigger the alert.

Anyway, if you get this error with Symantec’s Norton antivirus just disable the virus program when you install the program. And, why not search for a faster, cheaper and not broken antivirus program in the process (and anyone from Symantec reading this, do contact me and let me know how to avoid this issue.)