cloud reputation-based technology
Some days ago we've included a new version of the Symantec engine that makes use of the company reputation-based security technology. Given that we've received a lot of emails asking about the matter, we think it is interesting to clarify it, and Symantec guys have posted a quite enlightening entry in this blog:
"So what exactly is a Suspicious.Insight detection? These detections are derived from Symantec’s new reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users."
To read more about it, visit the Symantec's blog post
or the reference about the detection
i have the same Problem´s.
My Home Virus Tool from f-secure 2010 say
your Online Tool say Suspicious.Insight
What can i do? That a Trojaner or what ?
Delphi should sue Symantec. Or better yet a class action suit would probably be better. Symantec is using reputation-based security technology. They are basically flagging every software with Suspicious.Insight. This does not mean there is a virus within the software being scanned. But it sure does lead people to think there is a virus in the software.
This stinks. How many small time software developers will have a reputation "built up" big enough for Symantec to include them in their reputation based security.
We recently uploaded a ZIP file containing an installation program for one of our products.
Of the 42 anti-virus programs only Symantec's 20091.2.0.41 2010.03.19 flags this as containing a virus, "Suspicious.Insight".
We submitted this file as a false positive to Symantec and received the following message:
"Suspicious.Insight is detection for files that have not yet developed a strong reputation among Symantec's community of users and is not based on observed malicious or nefarious activity."
So Symantic is flagging a file as containing a virus even though it admits that it has *no evidence* that the file contains a virus!
http://www.virustotal.com/estadisticas.html shows "Suspicious.Insight" as first on the list with over 33,675 Suspicious.Insight "detections". The next has only 3,500.
Your stats page also says:
Infected files which one or more antivirus engines failed to detect as a threat: 86,163
It's clear that Symantec is totally messing up Virustotal's statistics.
Avast (as I recall) was - a few weeks ago - reporting false positives with installers made using Inno Setup (which is widely used by independent software developers). Avast fixed this problem within days.
Inno Setup is used by thousands of independent software developers, whose products are usually not widely used and so (according to Symantec at the web page cited below) "have not yet developed a strong reputation among Symantec’s community of users."
It seems that almost any installation program made using Inno Setup will be reported by the Symantec program as infected, not because it contains a virus but because "the application is unproven", as Symantec says at
Moreover, it is causing some people (including potential purchasers of products by independent software developers) to believe that uninfected files are infected with a virus, thereby causing them to lose sales!
Symantec should be removed from Virustotal's suite of virus-detectors (until Symantec removes their bogus "Suspicious.Insight") because it is producing false positives for many thousands of programs and it behaves contrary to your stated purpose, which is to report on viruses actually detected, not on unfounded suspicions.
The only real problem here is that this detections from Symantec should actually be flagged as "unknown".
Symantec has made quite a big step forward with this new technology from what traditional av used to be. Personally I would say it is more like a modern version of the old integrity scanners...
Traditionally av works with blacklists, detecting bad objects. However, when you make a full scan of your system with such an traditional av scanner and have the result of the scan that you have 0 detected malware, this does not actually mean your system is safe. What it really means is that there are 0% "known bad" objects on your system and 100% of unknown objects.
Lately there is also allot of talk about whitelisting where the scanner scans and detects all the "known good" objects (files). This can work great on controlled systems where all it is possible to maintain a close to 100% of "known good", on normal users systems however this can not be done, so again the % of "unknown" is high.
What Symantec is trying to do here is actually something like "full-list" (combining blacklist and whitelist). So when you scan a system you can have a result like this (0% of known bad, 40% of unknown and 60% of known good). This is actually a huge step forward.
And the Suspicious.Insight is the "unknown" from this "known bad-unknown-known good" approach. It is however up to users now to start to understand this difference and up to Symantec (and possible other vendors that will go this way) to make this difference clear to the users.
Personally I see nothing wrong with it, actually I even like and support it (the general idea of it, while the individual implementations of it by different vendors could be questionable).
I fully agree with Peter. Symantec should be removed from Virustotal's site because it is producing false positives on every InnoSetup-generated install program.
I have expanded my earlier post into "An Open Letter to Symantec Corporation about 'Suspicious.Insight'", which is now to be seen at: http://www.hermetic.ch/symantec_letter.htm
Links to this page are welcome.
In case you did not check Norton site, there are some
"bright" suggestions from their users regarding "Suspicous.Insight":
and see Norton response. It is getting worse.
I received a message from Symantec on this subject, and my reply is to be seen, following the open letter mentioned in my previous message, at http://www.hermetic.ch/symantec_letter.htm.
Symantec replied to my message on March 30 and my reply of the same date is to be seen at http://www.hermetic.ch/symantec_letter.htm.
The main point I made is that Symantec is creating a problem for independent software developers (namely, harming their sales) by apparently reporting to users of Virustotal that every new product or new version that a vendor releases is infected by 'Suspicious.Insight', when in fact Symantec in almost all cases has *no evidence* at all to support such a claim.
>The only real problem here is that this detections from Symantec should actually be flagged as "unknown".
NO! The REAL PROBLEM is that Symantec is flagging program files as (apparently to the user of Virustotal) infected by a virus or some other malware (when almost always this is a false positive) and is thus causing independent software vendors to LOSE SALES! Isn't this blindingly clear?
>Symantec has made quite a big step forward with this new technology
A big step forward in duplicitous marketing, perhaps, but NOT in virus detection. And at the cost of Symantec's credibility and reputation, as well as at the cost of lost sales to independent software vendors.
You can bet that everything released by Micro$oft, Adobe and such like companies will be "safe" no matter how dangerous they are to their users (old versions of Adobe Flash, say, that have well-known and also fairly frequently exploited vulnerabilities).
Not that security software does pretend to expose vulnerabilities -- no, they feast on the fear people have for viruses. But they look at their Norton AV report and feel safe...
The good news is virustotal has apparently dropped Suspicious Insight in their reports. The bad news is NAV users are asking for Symantec to up the ante on this nonsense:
Jim: I'd of course be ecstatic if Delphi sued Symantec over this, but just to be clear: this has nothing to do with Delphi apps. Any app that Symantec doesn't have in their database will be flagged as "suspicious".
DPlot Graph Software
(Hopefully no longer "suspicious")
Wow this si really sad they have to stoop to low tatics like this. I usually never trust the big companies when it comes to their software. While some can be not too bad, most of it can be junk. And Norton has gotten worse over the years.
Funny is that, every developer with a fresh application should write an open letter to Symantec to get removed from fake virus DB?
Unfortunately they have huge install base on enterprise and unsuspecting/bundle victim home market. I am surprised I didn't hear about this anywhere until today.
This is actually a major widespread problem. I was working for an ecommerce solution provider and a large number of their clients got falsely added to this db. MS also had a huge problem with this too, they flagged every single ecommerce site on the entire platform as malicious, they were quick to correct this issue but Symantec took forever to clear these merchants.
Please send trackbacks to: http://blog.hispasec.nospam/virustotal/48/tbZ3ping
Replace "nospam" with "com"
There are no trackbacks.