About Symantec's Suspicious.Insight

cloud reputation-based technology
Some days ago we've included a new version of the Symantec engine that makes use of the company reputation-based security technology. Given that we've received a lot of emails asking about the matter, we think it is interesting to clarify it, and Symantec guys have posted a quite enlightening entry in this blog:

"So what exactly is a Suspicious.Insight detection? These detections are derived from Symantec’s new reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users."

To read more about it, visit the Symantec's blog post or the reference about the detection.

Sent by jcanto @ 10:51 | Permalink | Comments (15) | Trackbacks (0)
Re: About Symantec's Suspicious.Insight


i have the same Problem´s.


My Home Virus Tool from f-secure 2010 say

your Online Tool say Suspicious.Insight

What can i do? That a Trojaner or what ?

Posted by: cultd3ad at marzo 10,2010 15:50
Re: About Symantec's Suspicious.Insight

Delphi should sue Symantec. Or better yet a class action suit would probably be better. Symantec is using reputation-based security technology. They are basically flagging every software with Suspicious.Insight. This does not mean there is a virus within the software being scanned. But it sure does lead people to think there is a virus in the software.

This stinks. How many small time software developers will have a reputation "built up" big enough for Symantec to include them in their reputation based security.

Posted by: Jim at marzo 15,2010 20:18
Re: About Symantec's Suspicious.Insight

We recently uploaded a ZIP file containing an installation program for one of our products.

Of the 42 anti-virus programs only Symantec's 20091.2.0.41 2010.03.19 flags this as containing a virus, "Suspicious.Insight".

We submitted this file as a false positive to Symantec and received the following message:

"Suspicious.Insight is detection for files that have not yet developed a strong reputation among Symantec's community of users and is not based on observed malicious or nefarious activity."

So Symantic is flagging a file as containing a virus even though it admits that it has *no evidence* that the file contains a virus!

http://www.virustotal.com/estadisticas.html shows "Suspicious.Insight" as first on the list with over 33,675 Suspicious.Insight "detections". The next has only 3,500.

Your stats page also says:
Infected files which one or more antivirus engines failed to detect as a threat: 86,163
Others: 659

It's clear that Symantec is totally messing up Virustotal's statistics.

Avast (as I recall) was - a few weeks ago - reporting false positives with installers made using Inno Setup (which is widely used by independent software developers). Avast fixed this problem within days.

Inno Setup is used by thousands of independent software developers, whose products are usually not widely used and so (according to Symantec at the web page cited below) "have not yet developed a strong reputation among Symantec’s community of users."

It seems that almost any installation program made using Inno Setup will be reported by the Symantec program as infected, not because it contains a virus but because "the application is unproven", as Symantec says at

Moreover, it is causing some people (including potential purchasers of products by independent software developers) to believe that uninfected files are infected with a virus, thereby causing them to lose sales!

Symantec should be removed from Virustotal's suite of virus-detectors (until Symantec removes their bogus "Suspicious.Insight") because it is producing false positives for many thousands of programs and it behaves contrary to your stated purpose, which is to report on viruses actually detected, not on unfounded suspicions.

Peter Meyer
Hermetic Systems

Posted by: Hermetic Systems at marzo 20,2010 04:26
Re: About Symantec's Suspicious.Insight

The only real problem here is that this detections from Symantec should actually be flagged as "unknown".

Symantec has made quite a big step forward with this new technology from what traditional av used to be. Personally I would say it is more like a modern version of the old integrity scanners...

Traditionally av works with blacklists, detecting bad objects. However, when you make a full scan of your system with such an traditional av scanner and have the result of the scan that you have 0 detected malware, this does not actually mean your system is safe. What it really means is that there are 0% "known bad" objects on your system and 100% of unknown objects.

Lately there is also allot of talk about whitelisting where the scanner scans and detects all the "known good" objects (files). This can work great on controlled systems where all it is possible to maintain a close to 100% of "known good", on normal users systems however this can not be done, so again the % of "unknown" is high.

What Symantec is trying to do here is actually something like "full-list" (combining blacklist and whitelist). So when you scan a system you can have a result like this (0% of known bad, 40% of unknown and 60% of known good). This is actually a huge step forward.

And the Suspicious.Insight is the "unknown" from this "known bad-unknown-known good" approach. It is however up to users now to start to understand this difference and up to Symantec (and possible other vendors that will go this way) to make this difference clear to the users.

Personally I see nothing wrong with it, actually I even like and support it (the general idea of it, while the individual implementations of it by different vendors could be questionable).

Posted by: saso at marzo 20,2010 17:11
Re: About Symantec's Suspicious.Insight

I fully agree with Peter. Symantec should be removed from Virustotal's site because it is producing false positives on every InnoSetup-generated install program.

Posted by: tomasz at marzo 23,2010 17:04
Re: About Symantec's Suspicious.Insight

I have expanded my earlier post into "An Open Letter to Symantec Corporation about 'Suspicious.Insight'", which is now to be seen at: http://www.hermetic.ch/symantec_letter.htm

Links to this page are welcome.

Posted by: Peter Meyer at marzo 24,2010 15:18
Re: About Symantec's Suspicious.Insight

In case you did not check Norton site, there are some
"bright" suggestions from their users regarding "Suspicous.Insight":


and see Norton response. It is getting worse.

Posted by: bob at marzo 26,2010 00:14
Re: About Symantec's Suspicious.Insight

I received a message from Symantec on this subject, and my reply is to be seen, following the open letter mentioned in my previous message, at http://www.hermetic.ch/symantec_letter.htm.

Posted by: Peter Meyer at marzo 29,2010 10:20
Re: About Symantec's Suspicious.Insight

Symantec replied to my message on March 30 and my reply of the same date is to be seen at http://www.hermetic.ch/symantec_letter.htm.

The main point I made is that Symantec is creating a problem for independent software developers (namely, harming their sales) by apparently reporting to users of Virustotal that every new product or new version that a vendor releases is infected by 'Suspicious.Insight', when in fact Symantec in almost all cases has *no evidence* at all to support such a claim.

Posted by: Peter Meyer at marzo 30,2010 11:35
Re: About Symantec's Suspicious.Insight

Saso wrote:

>The only real problem here is that this detections from Symantec should actually be flagged as "unknown".

NO! The REAL PROBLEM is that Symantec is flagging program files as (apparently to the user of Virustotal) infected by a virus or some other malware (when almost always this is a false positive) and is thus causing independent software vendors to LOSE SALES! Isn't this blindingly clear?

>Symantec has made quite a big step forward with this new technology

A big step forward in duplicitous marketing, perhaps, but NOT in virus detection. And at the cost of Symantec's credibility and reputation, as well as at the cost of lost sales to independent software vendors.

Posted by: Peter Meyer at marzo 31,2010 08:45
Re: About Symantec's Suspicious.Insight

You can bet that everything released by Micro$oft, Adobe and such like companies will be "safe" no matter how dangerous they are to their users (old versions of Adobe Flash, say, that have well-known and also fairly frequently exploited vulnerabilities).

Not that security software does pretend to expose vulnerabilities -- no, they feast on the fear people have for viruses. But they look at their Norton AV report and feel safe...

Posted by: Velska at abril 21,2010 14:27
Re: About Symantec's Suspicious.Insight

The good news is virustotal has apparently dropped Suspicious Insight in their reports. The bad news is NAV users are asking for Symantec to up the ante on this nonsense:


Jim: I'd of course be ecstatic if Delphi sued Symantec over this, but just to be clear: this has nothing to do with Delphi apps. Any app that Symantec doesn't have in their database will be flagged as "suspicious".

David Hyde
DPlot Graph Software
(Hopefully no longer "suspicious")

Posted by: David Hyde at abril 27,2010 02:25
Re: About Symantec's Suspicious.Insight

Wow this si really sad they have to stoop to low tatics like this. I usually never trust the big companies when it comes to their software. While some can be not too bad, most of it can be junk. And Norton has gotten worse over the years.

Posted by: Todd at junio 15,2010 03:17
Re: About Symantec's Suspicious.Insight

Very good!

Posted by: 西安塑料托盘 at agosto 20,2010 12:37
Open letter for all?

Funny is that, every developer with a fresh application should write an open letter to Symantec to get removed from fake virus DB?
Unfortunately they have huge install base on enterprise and unsuspecting/bundle victim home market. I am surprised I didn't hear about this anywhere until today.

Posted by: Ilgaz at octubre 04,2010 06:59
Re: About Symantec's Suspicious.Insight

This is actually a major widespread problem. I was working for an ecommerce solution provider and a large number of their clients got falsely added to this db. MS also had a huge problem with this too, they flagged every single ecommerce site on the entire platform as malicious, they were quick to correct this issue but Symantec took forever to clear these merchants.

Posted by: Aaron Kocourek at mayo 26,2011 03:49
Please send trackbacks to: http://blog.hispasec.nospam/virustotal/48/tbZ3ping
Replace "nospam" with "com"
There are no trackbacks.
Post a comment