Update: 25/03/2011 1420 GMT – Symantec have just emailed me to say that this detection has been removed and will not be present in the next definition update.
Fake viruses are one thing. I recently helped out four people who fell victim to the fake “System Tool” virus which pretends that your PC has a virus, and preventing the computer from being used, tries to get people to visit their website to hand over their credit card details. They prey on fear.
But legitimate anti-virus vendors aren’t an awful lot better. I know a number of people who bought a home PC with Norton pre-installed. They get a free 12 month subscription for virus definitions. But they don’t know that. Most of them have no idea that an anti-virus product even needs to download new updates. Then 12 months later they get a nasty looking warning saying that their PC is unprotected and now they have to pay for a new subscription. Frightened that something nasty will happen to their PC they pony up.
What they didn’t realise is that there are cheaper/better and even free alternatives. When I tell them they seem pretty angry.
Now it seems Norton have decided that small software companies are not to be trusted and are scaring people into deleting perfectly good software.
I recently received reports from a couple of trial-downloaders saying that their Norton/Symantec software reports a possible virus in Macro Scheduler.
The “virus” is: ws.reputation.1
Details of this threat can be found here. I quote:
“WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.
The reputation-based system uses “the wisdom of crowds” (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.”
In other words it seems to be saying:
“Because only a few of our users have used this product, it must be dangerous, though we have no specific idea why.”
Isn’t there a catch 22 here? Since insufficient people are using it to deem it safe Norton blocks it, which means no further people CAN use it, which means the number of people using won’t grow which means its reputation gets worse. A new file needs lots of people to use it for Norton to pass it, but if they block it new people can’t use it? It’s daft and very unfair.
And we’ve been in business and selling Macro Scheduler since 1997! If you’re a start-up with a new product I guess you’re going to have trouble getting the average home PC user to install your software since so many of them use Norton.
I wonder what Peter Norton would make of this.
If you use Norton – in fact even if you don’t – please send them a false positive report by going to:
https://submit.symantec.com/false_positive/
