[Qgis-user] False positive with norton + whitelisting

Lens Paul paul.lens at gmx.com
Mon Dec 19 06:58:39 PST 2016 

Thanks for your response and also to Paolo's response.

I'm ready to help as far as I can with my limited skills.

The "vendor's form" (https://submit.symantec.com/whitelist/isv/) 
specifies that a corporate email adress is mandatory  to make a 
proactive whitelisting:
--------------------------excerpt----------------
Software Whitelisting Request

This form is for use by Vendors wishing to have their software 
proactively whitelisted by Symantec.

Important information
• Whitelisting is file/version specific. Future versions will not be 
whitelisted by default.
• New versions of your software should be submitted for whitelisting as 
they become available.
• For identity verification, a corporate email address is mandatory. 
Requests from free email domains will not be processed.
-------------------end of excerpt----------------

NB
In fact, the "vendor's" form is very much alike the user's form 
(https://submit.symantec.com/false_positive/) and the result seems also 
to be alike.

The only difference is that the user's form begins with the question 
"When did the detection .. occur?"; one of the possible responses is 
"the options provided do not apply".
Than you have to specify the kind of Symantec product.

I recall having read that the recognition is "cloud" based, whitelisting 
for one product holds for all "cloud based" Symantec products.

So there is the possibility to just fill the user's form  (which is in 
my reach) in case there is no other way!


Le 19/12/2016 à 14:59, Matthias Kuhn a écrit :
> Thanks Paul,
>
> Yes indeed it looks like every single version will need to be whitelisted.
>
> It would be interesting for us to upload every release, but it looks
> like it's a manual process that someone will need to take care of (at
> least it doesn't look like it's a scriptable API):
>
> https://submit.symantec.com/whitelist/isv/
>
> It also looks like code signing would be an alternative, but from a
> quick look at the page https://submit.symantec.com/whitelist/ , this
> mainly looks like a process to generate business for some CA with no
> open alternatives.
> But if someone has more experience in this area, it will be interesting
> to hear insights.
>
> I think the most sustainable approach is if
>
>   * someone volunteers to manually upload the files after new releases
>   * or possibly (if it helps...) someone sponsors a certificate
>
> Matthias
>
> On 12/19/2016 02:36 PM, Lens Paul wrote:
>> Thanks Matthias,
>>
>> I just received the answer of Symantec (Norton), here are some excerpts.
>>
>>
>> ----------------------------
>>
>> Upon further analysis and investigation we have verified your submission
>> and, as such, the detection(s) for the following file(s) will be removed
>> from our products:
>>
>>      File name: qgis_bin.exe
>>      MD5: 99002dab0a0525a941b4a473fe4b058b
>>      SHA256:
>> 5f1fe42b904298eecbb1c0bdc3cbb4a28dcbace3b1b65a250ef800d8158a4f51
>>      Note: Whitelisting may take up to 24 hours to take effect via Live
>> Update
>>
>>
>> If detection persists, please contact support:
>> * Norton:https://support.norton.com/sp/en/us/home/current/info
>>
>> ...
>>
>> If you are a software vendor and would like to upload your software for
>> proactive whitelisting, please complete one of the following forms:
>> * If you are BCS customer:https://submit.symantec.com/whitelist/bcs
>> * Otherwise:https://submit.symantec.com/whitelist
>>
>> For more information on best practices to reduce false positives:
>> http://www.symantec.com/content/en/us/enterprise/white_papers/b-to_increase_downloads-instill_trust_first_WP.en-us.pdf
>>
>> -------------
>>
>> Does it mean that they whitelist just one version of QGIS (in relation
>> with the signature MD5)?
>> Which means that every new version should also be submitted to them?
>> (luckily, the procedure is easy and not time-consuming).
>>
>> They also recommend a "software vendor" procedure, which is beyond my
>> understanding.
>>
>>
>> Regards and thanks to all the developers for the marvelous development
>> of QGIS,
>>
>> Paul
>> Le 19/12/2016 à 12:13, Matthias Kuhn a écrit :
>>> Thank you Paul,
>>>
>>> We have received similar reports in the past already.
>>>
>>> I think what you have done is the best approach: notify the antivirus
>>> producer about false alerts as a user and provide them with the required
>>> information (qgis-bin.exe etc.) to investigate the problem and update
>>> the heuristics or white list accordingly.
>>>
>>> With the information available from the general description of the
>>> heuristics, there is normally not a lot we can do to "solve" the problem
>>> from our side. If Norton asks more information, please just post again
>>> either on this list or on the qgis developer list.
>>>
>>> Thanks again
>>> Matthias
>>>
>>>
>>> On 12/19/2016 12:04 PM, Lens Paul wrote:
>>>> Hi all,
>>>>
>>>> For info to Norton Security Users,
>>>>
>>>> Using QGIS 2.18.1 on Windows 7 sp1 64 bits.
>>>>
>>>> Norton deleted twice, without warning, qgis-bin.exe + many .py files on
>>>> my computer + modified many registry entries.
>>>>
>>>> Message was "WS.Reputation.1", linked to the so-called SONAR function of
>>>> Norton Security.
>>>>
>>>> This is how it works : "WS.Reputation.1 is a detection for files that
>>>> have a low reputation score based on analyzing data from Symantec’s
>>>> community of users and therefore are likely to be security risks."
>>>>
>>>> The Norton (french-speaking) Assistance  confirmed me it is a false
>>>> positive. I asked them to put QGIS on the White List.
>>>>
>>>> NB: this is not the first time it happens for QGIS, see:
>>>> https://community.norton.com/en/forums/qgis-issue.
>>>>
>>>> Afterwards, I submitted also a demand for whitelisting, as a Norton
>>>> user, on the Norton website
>>>> (https://submit.symantec.com/false_positive/standard/), where
>>>> qgis-bin.exe can be uploaded for testing.
>>>>
>>>> I hope this will prevent any other disturbing false positive on Norton
>>>> products. Any suggestion?
>>>>
>>>> Paul
>>>>
>>>> _______________________________________________
>>>> Qgis-user mailing list
>>>> Qgis-user at lists.osgeo.org
>>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
>>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
>>> _______________________________________________
>>> Qgis-user mailing list
>>> Qgis-user at lists.osgeo.org
>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
>> _______________________________________________
>> Qgis-user mailing list
>> Qgis-user at lists.osgeo.org
>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
> _______________________________________________
> Qgis-user mailing list
> Qgis-user at lists.osgeo.org
> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user

More information about the Qgis-user mailing list