• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Conflicting Results from File Insight

First I should mention that I have two similarly-configured Win 7 computers.  I'll call them computer A and computer B.

Today on computer A I opened my personal VPN program, which I don't use much except when traveling.  It is one of the best-known of such programs.  It said an update was available, so I downloaded it.  Norton File Insight gave it a "Good" rating, even though it has less than 5 users and was released less than a week ago.  After going directly to the program's website to verify that they had released an update, I installed it with no issues.

I then went to Computer B and downloaded  it, but there File Insight said it couldn't yet be trusted (still less than 5 users and less than a week old).  When I started to install it, Norton File Insight recommended I stop the installation and delete the file.  I proceeded anyway...again no problems.

Why would Norton File Insight call the same file good on computer A but suspicious on computer B?  BTW, on computer A it still shows as "Good" in File Insight.

Replies

Kudos1 Stats

Re: Conflicting Results from File Insight

I don't have an answer but I have experienced this many, many times on my three Win10 machines.  One machine will say my download is safe, yet the exact same download on another machine, or machines will say it isn't safe.

A little bit of knowledge is... well a little bit of knowledge.
Kudos1 Stats

Re: Conflicting Results from File Insight

I'm putting it down to a combination of machine spec, programs in use and other unknown variables !

For example on my wife's phone an identical download was 6.3 MB, and on mine 3.4MB.

Same program, different Android phones.

Maybe the same circumstances apply with PCs ?

Windows 10 Home X 64
Kudos0

Re: Conflicting Results from File Insight

Thanks for the replies.  Are each of you referring to cases with Trusted vs "Too New to Trust" (or whatever the exact wording was...I don't have computer B handy at the moment)?  Or have you also seen some Trusted vs. flat-out "Bad"?

Kudos1 Stats

Re: Conflicting Results from File Insight

Usually it is a heuristics detection determining it isn't safe for me.

A little bit of knowledge is... well a little bit of knowledge.
Kudos1 Stats

Re: Conflicting Results from File Insight

WS.Reputation 1  is the usual suspect.

Behavior

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

Maybe one of my machines is treated as a guinea pig?

A little bit of knowledge is... well a little bit of knowledge.
Accepted Solution
Kudos3 Stats

Re: Conflicting Results from File Insight

Ardmore:
...Norton File Insight gave it a "Good" rating, even though it has less than 5 users and was released less than a week ago...

...Why would Norton File Insight call the same file good on computer A but suspicious on computer B?  BTW, on computer A it still shows as "Good" in File Insight.

Hi Ardmore:

Go to Security | History | Download Insight.  Open each File Insight report, click the Copy to Clipboard link in the bottom-right corner, and paste the full details of each report into a text editor like Notepad. When you compare the two reports does it show that the files had the identical SHA256 hash (file thumbprint) and URL for the download site?  Is it possible one file was downloaded from a mirror site, for example, because of heavy traffic on their main download server?  The source of the file is one of the factors Download Insight considers when assigning a reputation (trust) rating.

There isn't much detailed information on how Download Insight works on the Norton Customer Support site at https://support.norton.com/, but I found a Symantec support article Managing Download Insight Detections that states:

"Download Insight uses reputation information exclusively when it makes decisions about downloaded files. It does not use signatures or heuristics to make decisions. If Download Insight allows a file, Auto-Protect or SONAR scans the file when the user opens or runs the file."

I had always assumed that differences users could see in the reputation (trust) ratings when they downloaded the same file [i.e., with the identical SHA256 hash and download site] on different computers was because the file reputation database was slightly out-of-date on one machine (go to Settings | Administrative Settings | Background Tasks | Configure and check the Last Run date/time of the background Norton Insight task).  However, another Symantec support article How Symantec Endpoint Protection Uses Symantec Insight to Make Decisions About Files implies that Download Insight always queries the file reputation database in the cloud (i.e., on the backend servers) and not the local computer.  Assuming that Download Insight works the same way in Norton home consumer products, it's possible that these file reputation databases stored in the cloud can sometimes be slightly out-of-date, depending on which server in the Norton CDN (Content Delivery Network) the query is sent to when you downloaded the file and when the content on that server was last refreshed.  That's just speculation on my part, though, so one of the Norton employees needs to jump into this thread to explain why users sometime see these discrepancies in the reputation of downloaded files.

I'm always skeptical when Download Insight gives a file a "Good" trust rating to a file that is Very New and has Very Few Users, and I always give these files a manual scan with both Norton and Malwarebytes to ensure they're actually safe before I run them.  See the demo designed by user elsewhere a few years ago in HoogendoornJH's thread Trovico Not Discovered about a "fake" Microsoft Sysinternals Process Monitor installer downloaded from a site called Softango that was bundled with a nasty PUP (potentially unwanted program) that Malwarebytes detected as PUP.Optional.InstallBrain.  The Web Protection module in Malwarebytes Premium blocked the download of this infected installer...

...but after we disabled Malwarebytes' real-time protection Norton's Download Insight permitted the download and reported that the infected installer (SoftangoDownloader_SysinternalsProcessMonitor.exe) was "Safe to Run" and the overall trust rating was "Good" even though the file was Very New and had Very Few Users.  The SHA256 hash (digital fingerprint) of this infected installer was flagged as suspicious / malcious by multiple virus scan engines when the file was uploaded to VirusTotal.com for analysis.

------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * NS Deluxe v22.15.1.8 * MB v3.5.1-1.0.365

Kudos0

Re: Conflicting Results from File Insight

Imacri, I think you have identified the general issue here, namely that the files have different SHAs.  I guess this makes sense considering that on Computer A I downloaded the program update file from the program's website (after visiting it to read about the update); vs. Computer B, where I clicked "download" on the popup message that a new version was available -- causing the download to start immediately.  Fyi, the two files are identically-sized.

Url is not reported for either file.  But the one that was rated Good, that I downloaded from the website, lists the program's developer, while the one that isn't trusted (yet) doesn't list developer. 

BTW, isn't it likely more people would end up downloading from the new-version-available popup than downloading from the website?

Kudos1 Stats

Re: Conflicting Results from File Insight

Ardmore:
...BTW, isn't it likely more people would end up downloading from the new-version-available popup than downloading from the website?

Hi Ardmore:

For me, it depends on the program and the level of trust I have in the software developer as to how I apply updates.

The internal updater for my iTunes software, for example, only downloads updated files for modules that have changed since the previous update and performs a partial / incremental update, so it makes no sense for me to download the full offline installer from the Apple website (and waste bandwidth) to perform an over-the-top update every time a new update is released.  Other software like my Firefox ESR browser would often throw an error ("Update Failed: The partial update could not be applied.  Firefox will try again by downloading a complete update") when I used the internal updater, so for a year or so I just downloaded the full offline installer from their website and performed an over-the-top update until Mozilla fixed this glitch.  Many CCleaner Free prefer to use the slim / portable installers from https://www.ccleaner.com/ccleaner/builds to avoid installing browser toolbars and other unwanted software that is bundled with the standard installer offered at https://www.ccleaner.com/ccleaner.

There seems to be a growing trend these days where some software companies like Avast / Piriform and Norton are randomly selecting a small group of customers to "preview" new features (i.e., become unwitting beta testers).  Some companies deliver these "preview" features via built-in internal updaters while others will randomly select users to download these modified installers (i.e., with SHA256 digital fingerprints that do not match the "standard" installer) when the user downloads the .exe file from their website.  Companies will submit the SHA256 hash of both installers to antivirus manufacturers and VirusTotal so the beta version isn't flagged as malicious / suspicious when it is executed, but I suspect inconsistent results with Norton Download Insight and poor file reputations (Very New/Very Few Users) these days are sometimes caused by companies like Avast / Piriform who push out installers that include these "preview" features to a limited number of users.
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * NS Deluxe v22.15.1.8 * MB v3.5.1-1.0.365

Kudos0

Re: Conflicting Results from File Insight

Interesting stuff, thanks.

BTW, very OT but I'm surprised you're still on Firefox 52.9esr.  I thought *I* was stretching out my usage of it too far beyond the end of support, but I finally "gave in" and switched to 60esr 3.5 months ago.  I was absolutely floored by the improvement in performance on my Win 7 machine.  I had thought that the "improved performance" claims were hype, but -- at least for me -- to the contrary they were dramatically under-sold.  Aside from the speed increase, sites that were previously frustratingly balk-y just glide swiftly, and I no longer experience a frustrating slowdown the longer I surf.  I pieced together simple CSS code that makes the interface look pretty similar to before, and have found replacements for most (not all) of my pre-Quantum add-ons.

I still have an installation of 52.9esr  -- never to be updated -- in a different user account I created solely for the purpose of continuing  to access my old Scrapbook files (since the Scrapbook add-on won't work in Quantum).  As an extra caution, the 52.9 installation is 64-bit, while my "main user" installation is 32-bit.

Kudos0

Re: Conflicting Results from File Insight

Ardmore:

...BTW, very OT but I'm surprised you're still on Firefox 52.9esr....

Hi Ardmore:

Firefox ESR v52.9.0 (released 26-Jun-2018) was the last version released for my Vista SP2 machine.  See the Mozilla support article Important - Firefox Has Ended Support for Windows XP and Vista.

It's the same reason I'm using Norton v22.15.1.8 (released 13-Sep-2018) on this machine per Gayathri_R's announcement Norton Maintenance Mode for Windows XP and Windows Vista as well as Malwarebytes v3.5.1 with Component Package v1.0.365 (released 08-May-2018) per the FAQ Malwarebytes Support for Legacy Windows XP and Vista Operating Systems.
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * NS Deluxe v22.15.1.8 * MB v3.5.1-1.0.365

Kudos0

Re: Conflicting Results from File Insight

 

Firefox ESR v52.9.0 (released 26-Jun-2018) was the last version released for my Vista SP2 machine.  See the Mozilla support article Important - Firefox Has Ended Support for Windows XP and Vista.

Aha...I had  been aware that Firefox finally ended support for XP, but wasn't aware that it had ended for Vista as well.

Kudos1 Stats

Re: Conflicting Results from File Insight

I just had this happen with the latest CCleaner update downloaded from the same link on their website.  One machine was happy, but my two other machines asked if I was sure I wanted to run the installer.  On those two machines I was prompted whether to allow the installer to access the internet, which I blocked.  On the machine that Norton said the installer was safe it wanted to install Avast AV.

A little bit of knowledge is... well a little bit of knowledge.
Kudos0

Re: Conflicting Results from File Insight

Interesting.  I assume all three downloads were done at about the same time, right?

Kudos0

Re: Conflicting Results from File Insight

Yep, all one after the other.

A little bit of knowledge is... well a little bit of knowledge.

This thread is closed from further comment. Please visit the forum to start a new thread.