GP SoftwareTwitter
Opus FAQsManualCommandsObjects

FYI, Symantec AV nukes Opus 11.5 installer


#1

Hello,
We use Symantec Endpoint Protection anti-virus at my work location. It is currently nuking Opus 11.5. Due to corporate policy, this behavior cannot be resolved or worked-around from my end. Don't know why they think Opus 11.5 has issues, but I thought I'd mention it. Until Symantec whitelists this, I can't download or install the app. :frowning:

Just FYI...



#2

You could workaround using the beta 11.4.5., which basically should have the same features as 11.5.


#3

Yep. Same here with Norton 360. Since my user is not an Admin user I can't see how to get to the Quarantine directory to retrieve the file (assuming it is not really infected......).
Maybe I'll wait a few days to see if Norton changes it's mind about this download.



#4

Quick update on my Norton 360 post. I saw that Norton did not Quarantine the file. It just deleted it..... Bit harsh, maybe you could submit it for whitelisting, e.g. here: submit.symantec.com/whitelist/



#5

All the screenshots show the only issue is "reputation".

This is always going to happen if you have your A/V set to panic about files which have not been seen by many people, and you then run a file that has only been released for a few hours.

The files are digitally signed, which is as good as us sending them to Symantec. They still would not have been seen by many other users, which is a chicken-and-egg problem we cannot do anything about.

You should either wait a few days before installing new software, or configure your antivirus not to panic about new software. If you have any issues, ask Symantec for support, as this is all entirely outside of our control.


#6

Hi Leo,

Actually, it is not really outside your control, which is why I brought it to your attention in case you are interested. Symantec has a link (submit.symantec.com/whitelist/) where you can proactively submit items to be whitelisted. I'd do it for you, but they want the executable, and I can't get it.

But as you say, waiting it out for a few days might work. Odd that the betas and previous versions didn't get flagged tho...


#7

[quote="leo"]All the screenshots show the only issue is "reputation".

The files are digitally signed, which is as good as us sending them to Symantec. They still would not have been seen by many other users, which is a chicken-and-egg problem we cannot do anything about.

You should either wait a few days before installing new software, or configure your antivirus not to panic about new software. If you have any issues, ask Symantec for support, as this is all entirely outside of our control.[/quote]

I find it strange that under Properties > Digital Signature Information, the Countersignatures > Name of signer is Symantec Time Stamping Services Signer - G4 with a signing time of 7-3-2014 9:16:06 p.m. -> So the digital signature is registered WITH Symantec, but they are flagging the installer as untrustworthy?


#8

[quote="ripsnark"]Hi Leo,

Actually, it is not really outside your control, which is why I brought it to your attention in case you are interested. Symantec has a link (submit.symantec.com/whitelist/) where you can proactively submit items to be whitelisted.[/quote]

I am assuming the whitelisting process is not instant. (If it is then it seems pointless as anyone could automate submissions and it's no more useful than the existing digital signatures, which already establish that the installers come from us.)

Assuming it is not instant, we would have to wait some time between submitting a release and letting people download it. That doesn't seem any different to people with paranoid antivirus waiting, except that it would force everyone to wait.

And there are so many antivirus vendors that having to submit our installer* to each one would be ridiculous. Symantec don't deserve special treatment here, and they should really improve the wording of their alerts, and perhaps make their algorithm not panic if a signed installer which is an update to a program the user has had installed for years is released. I've seen the same threads appear for all sorts of software. This is entirely an issue of Symantec's creation, and not ours to deal with. Our release process already contains enough work without Symantec adding to it because they have designed such a poor system. Users should push back on a/v vendors who do this kind of thing so badly.

(*Edit: Actually, installers. Every release has six different versions and six installers, for 32-bit + 64-bit x Universal + German + Chinese.)


#9

Over the years, Norton have been generally one of the more professional antivirus companies but I guess there are more interesting things to work on these days than AV so maybe they are having trouble finding good help.:slight_smile: And like all such companies they can descend into the mire of behaving like Scareware mongers at times.

With respect to Norton (and any other company) it's completely ridiculous that 'they' want 'us' to submit each of 'our' products we wish to release to 'them' for permission every version we release a new version (and that's 6 different programs for EACH release), and, we have to do this EVERY time. Some other companies used to do this before they accepted that a digitally signed installer product signed with a registered and reputed code authentication key is perfectly acceptable, especially when it comes from a long established company.

We have some colloquial sayings here in Australia which involve walls,jumping and private parts to describe such behaviour, but I digress.

Much to my annoyance and time wasting, I have submitted one report to them of their current unconscionably behaviour with their aptly named Shareware term "WS.Reputation.1" reports from our recent releases.

However is seems they are really as superficial in their analysis as is suggested. Sigh... This analysis threat method (so far anyway from my limited testing with NAV) seems to apply only to .exe files and not to .zips. So I have created ZIP download for those users who are unfortunately using Norton until they (Norton) start acting professionally. Those stuck in the Norton jelly can download the programs from these links as zip files.

[ul]- Directory Opus 32-bit

Let us know how this works.


#10

Speaks volumes re Symantec's processes.

The AV business as a standalone product is dying on its feet. Some vendors have admitted as much.

And that includes Symantec:

Symantec And Security Starlets Say Anti-Virus Is Dead

Seems that they are going down flailing around like headless chicken.


#11

Greg, Leo,

Thanks for all your attention to this matter. I didn't mean to cause you guys any extra work, it's just frustrating when this antivirus stuff starts interfering when there's no concern at all. The ZIP files you posted worked fine, BTW.

My company locks down the AV stuff really hard, so there's not much I can do to work around these type of issues except wait it out. Just an amusing example for you, about 6 months ago I got hit with some drive-by malware simply by googling some for programming help. I immediately shut everything down but it was too late; Symantec didn't catch it but it did flag it as an issue. Within about 1 hour, someone from our IT dept shows up unannounced, confiscates my machine, and wipes my hard drive right on the spot. How's that for paranoia... :slight_smile:


#12

Hi Greg/Leo,
Yes, thanks. The .zip worked for me (after I used Explorer and copied the .exe out manually, as using WinRar involked an anti-virus check which deleted the file..... aaaarh (in DO 11.5 [I moved from 11.2] WinRar seems more integrated, so that files are shown in the Opus Window, rather than opening WinRar).
Incidentally Norton may have turned the wick up on their detection using the 'so-called' File Insight ( :confused:) detection. I downloaded the latest KeePass version tonight and got the same deletion treatment, whereas last time this was quarantined. Although it may be a brand new file is first deleted, then moves (after several people download the file) to quarantine after a few days of detection and finally when 20 million people seem to have downloaded it without incident it moves to the whitelist.

Anyhow, we know what to do next time.


#13

Unfortunately this is activated by default.

The WS.Reputation.1 check is the dumbest thing Symantec ever developed. I'm using quite a bunch of software, and I often had problems with it. No need to say that none of the alarms was related to a real threat. :unamused:

It can be turned off in the settings, but NIS seems to just ignore this: :imp:


Cheers,
Jan


#14

Just an update on this situation. Today we've had a followup response from Kevin Haley at Symantec as follows:-

"I wanted to follow-up to tell you that the problem has been corrected. You should not be seeing any false positives with the files. Additionally we have white listed those files so they will not experience a false positive with any of our detection technologies. I did want to point out that on detection Norton does not delete the files. They are recoverable from Quarantine. So customers can quickly rectify a false positive."

If anyone still sees an issue, please report it immediately to Symantec if at all possible.

We shall see what happens with the new Beta releases later today...:slight_smile:


#15

Just downloaded the new 11.5.1 Beta and Symantec has had its wicked way (sigh)! This is the pop-up received on a corporate laptop.


Regards, AB


#16

I should add that thanks to the information provided in Greg's post I hung in there and succeeded in recovering the executable from Symantec quarantine after navigating through several dire warnings.

Regards, AB


#17

LOL. "There is strong evidence that his file is untrustworthy." Simply idiotic behaviour for a company that used to have a good reputation. Only thing I can see that's untrustworthy is Symantec's AV software.

I've filed another report with them.


#18

I'm running the latest Norton Internet Security (NIS) and have just downloaded 11.5.1 beta with no repeat of the virus alert from NIS.

11.5 did give the false positive when I downloaded that on its release.


#19

update:

All should now be ok. We've had an update Kevin Haley at Symantec today (12/7/14) as below so all issues with False Positives should now be resolved.

[quote]It looks like I need to eat some humble pie. We did not fix this issue. My apologies for this. And for misleading you.

As you know we white listed the first set of files, so those will not experience an FP. Last night, based on your email/submission to us, the team white listed the new files. So there will not be problems with the current group of in-field files.

What we wanted to solve was the issue with new files that you create. We thought we had that in place. Obviously it was not. We had some QA issues that made it harder for us to spot the problem. Today we re-grouped. We are looking into root causes. However, while that is ongoing we have taken two additional steps, a belts and suspenders approach, to avoid further issues with new files you release.

In short, given the digital signatures used with your files and the reputation of the URLs used to download your files, we should not have had a false positive on any of your files. While we look to find the problem, we have instituted two additional safeguards, which will prevent false positives, even if the root cause of the original false positive is not discover.

While I realize that my creditability is certainly to be questioned on this subject, I do believe that we have put the safeguards in place to prevent future problems.

Regards,
Kevin[/quote]


#20

Hm, I started LiveUpdate (Norton Internet Security 2014) manually and even rebooted the computer, then re-downloaded the new beta. It was quarantined again. When downloading, I always add the version number to the file name, but that shouldn't make a difference.

Well, as it seems, the issue is not yet solved... :unamused:

Cheers, Jan