
Symantec throws up hurdles to independent software developers - r00tbeer
http://www.codeandweb.com/blog/2012/06/23/how-symantec-ruins-independent-developers
======
mjard
I worked at Symantec on the reputation team, tools I worked on directly
generated the reputation behind the WS.Reputation.1 message.

First: file a false positive report at
<https://submit.symantec.com/false_positive/> . (Options: "When downloading a
file", "Norton Internet Security 2012 or Norton AntiVirus 2012", "Download
Insight")

This goes directly to the team and they should have your programs whitelisted
within a few business days.

Second: sign your executables. This goes a long way. And no, it doesn't have
to be Verisign.

Third: don't change domains. This wiped out your known reputation. (Would have
been acceptable if your binaries were signed)

Symantec is not out to squish the little guy. Sometimes you do have a few more
hoops that you are required to hop through. Symantec should have better
transparency on how this process works, it's something I pushed for pretty
heavily but never had the power to get done.

Don't worry, you're not alone. Example: We weren't able to get Mozilla to sign
their beta or developer builds that are shared on multiple mirrors (domains
not related to mozilla). We'd get lots of angry (understandably) reports of
reputation issues on these builds.

If anybody has any questions within reason, I'll be glad to answer them.

~~~
kevingadd
Is it actually possible for everyone to sign their executables? Last time I
did it, I had to fork over something like $250/yr for a signing key along with
providing copies of various documents. This seems a little high for someone
who just, say, wants to make free utilities available to the world.

In the case of Firefox, one would think it would be possible for you guys to
do something about it on your end, because you're the ones who added this
reputation system that's causing users grief. Record known-good SHA or MD5
sums of unsigned apps like Firefox that you know are okay, for example. Or
just not default this feature on.

~~~
symcthrowaway
So, I also worked on this team (and am good friends with mjard). At some point
there was a big decision made to heavily bias the engine against "unknown"
executables. I said it was a bad idea then, and I still think it is now. The
only way it can "know" about an executable is via its source, or its
signature, or if it is on other users machines. This creates the obvious huge
problem for "the little guy" distributing software. They actually think this
is no big deal, and when it steps on toes, the distributor can just use their
dispute system and eventually they will fix it. And if you don't like it, you
can just get your software signed. I was of the opinion that this was bad
behavior and unreasonable. They really liked what it did for review scores
(surprise, we detect everything!). I lost.

Create a harmless helloworld.exe and put it on a random website. Download and
run it. If things haven't changed since I left, it will get flagged as
malware.

What I can say is that this has nothing to do with trying to crush the little
guy or malice. With some exceptions, there is a general attitude there of not
caring, or caring about the wrong things. Hanlon's Razor a little bit.

~~~
malkia
Wait... A Typical gamedev studio uses 50-100 own executables, if not more.
Directly fro perforce/svn/etc. In between studios.

....

~~~
mjard
Version control products wont have to deal with the reputation engine.

------
jim_lawless
It's not just Symantec.

I've had issues with multiple AV companies that pertained to binary-string
signatures in my code. The AV companies I've dealth with all seem to have
online ticketing systems that allowed for rapid correction of these
situations.

A few months ago, I found that a command-line screen-capture tool that I
publish was flagged as malware by multiple AV products due to behavioral
characteristics.

In ScreenKap, I was experimenting with obfuscation of text-strings used by the
code. I removed the obfuscation from the code and resubmitted to VirScan.org.
I received a clean bill of health.

Note that I did not formally pursue this with any of the AV companies as the
string obfuscation was an experiment and was nothing that needed to remain an
integral part of my product. If my assumption is correct ( please note that it
is an assumption ), we might be restricted to coding in the way the AV
companies think we should code.

------
xpaulbettsx
Norton has caused a large amount of frustration for our GitHub for Windows
users - Symantec will basically block any EXE using MSys, because of its use
of the CreateRemoteThread API. There is no way I am going to submit all of the
200+ EXEs that comprise MSysGit to that web form, though we will try signing
all of the EXEs.

~~~
mjard
Argh, that's rough, submit a few mention there are more, the team will be able
to vet the entire collection.

------
malkia
We have Symantec AntiVir at work.

Few months ago I was researching way to make DLL's behave like OSX/linux -
e.g. while they are loaded, they can get replaced. This is doable with the
compiler option /SWAPRUN:CD,NET - e.g. if your dll/exe was running from CD or
Network, and the media went down, it should still work. This somehow pulls the
whole data somewhere (I guess in the page file), and it can be replaced.

Anyway, as soon I as started using this Symantec started reporting virus
reports - not for everything - but few were enough for me to stop.

------
cluda01
Suppose Symantec started a program where companies were allowed to pay for
their apps to be white listed would and precluded from this check. Could this
be considered a protection racket under anti-trust rules?

~~~
ghurlman
No. There's nothing remotely resembling a monopoly here, just a garbage
product.

~~~
damian2000
A garbage product that is unfortunately pre-installed on hundreds of millions
of windows PCs. Its actually quite difficult to remove _all_ of its
components; its not just a one click operation as it should be.

~~~
woqe
I have had some success with <http://www.symantec.com/nrt> .

------
jiggy2011
Is there even much point in using AV software?

I ask this because I have never installed any on my computer (including on
Windows) and I have only ever _knowingly_ been infected once in the last 10
years (I think this happened because I didn't update Windows Media Player and
it was still associated with a file type and somehow a rogue media file
streamed from a website attacked it).

On the other hand people I know who have things like Norton etc installed seem
to have _way_ more problems with their computers than me (including fairly
tech savvy people). For example programs randomly breaking, tracking cookies
being flagged as "malware" , general slowness of the system , nonsensical
warning messages etc. Besides that they still seem to end up infected with
malware more often than me and usually re-format their systems once every few
months.

On that one occasion that I did end up infected , I had to install 3 different
AV programs and do full scans before it was even detected.

Mac and Linux users never bother having AV installed and as far as I am aware
there is nothing inherently more secure about either of these systems than
there is Windows 7.

If you are running a network , surely it would be simpler just to disallow any
executable files apart from those explicitly whitelisted and to make sure
security patches are installed?

~~~
ams6110
In the past, on Windows and Macs (pre-OSX), it was pretty much a requirement
unless your machine was really stand-alone and you never dealt with files from
any untrusted sources.

These days, if you keep your system patched, use an unprivileged account for
your normal activity, use a local firewall and/or NAT, and stay away from
shady websites you are probably pretty safe.

I have similar experiences with a friend who's constantly getting malware even
though he's running Windows 7 and Microsoft Security Essentials. The main
vector seems to be PDF files; he deals with a lot of them via email as part of
his job, and he's very much in the habit of just opening PDFs in email before
he even really looks at who the sender is.

I agree that many AV programs slow the sytem way down, and in general cause
problems, and don't seem to really guarantee that you won't get infected. And
FUD is a huge part of how it's marketed. Even Windows itself will nag you with
ominous warnings if you don't have any AV software installed.

~~~
jiggy2011
There is possibly a problem with user education here.

Running software on your computer that is not set to automatically pull down
and install security patches to me seems like a far bigger problem than not
running AV software. Windows does warn you if you turn automatic updates off ,
but afaik there is rarely such a warning about third party software.

In your friends case it would seem that he is not getting updates from adobe,
since viewing a PDF file should not cause third party code execution so he
must be getting PDFs that are exploiting his PDF reader (presumably adobe
fixes these quickly as they arise).

------
CamperBob2
Why isn't this grounds for a product-disparagement lawsuit?

------
hluska
I once worked for a company that ran into this same problem, hence, I have a
whole lot of sympathy. However, I also sympathize with Symantec.

The biggest problem with the AV world is that it tends to be reactive. A
criminal releases a piece of malware, it infects computers and then there is a
fix released. The problem is that there is a gap between release and fix and
criminals exploit this gap to steal information.

Reputation analysis is one possible solution. Alas, when it fails, it fails
big (and hurts primarily independent developers).

------
n-gauge
Hence why I don't install rubbish virus checkers. It also gets confused on
those 4k demos (due to the packers they use probably)

------
voidr
Software that does this should become illegal. This is technical slander.

They are not even trying to explain what this means, the reason for this is
simple: they want to show off, how many times they "protected" their
customers, so that they are fooled to believe that AV products actually have
value in them.

------
16s
When I used to write Windows software, Authenticode signing solved this sort
of issue. Does that no longer work?

~~~
kevingadd
Last I checked, Authenticode certificates are not cheap.

------
hikkymemo
Are your executables signed?

~~~
tonyedgecombe
Signing doesn't always solve the problem.

~~~
ryanpetrich
Signing should allow reputation from previous versions to apply to updates, if
implemented correctly by the antivirus vendor.

~~~
AndreasLoew
The product is out for about 1.5 years now but I moved to a new domain (from
texturepacker.com to codeandweb.com). This is when the trouble started. I have
not signed it yet - just learned about the issue some days ago.

------
randomguy1122
Companies pay to get stuff listed. Someone paid to get rid of your product.

