3

One person on my team found their VB6 IDE was no longer working. We eventually realized that the file VB6.EXE (from C:\Program Files (x86)\Microsoft Visual Studio\VB98) was missing and that this was because Symantec Endpoint Protection (14) had removed it due to WS.Reputation.1 (noted in Symantec logs).

I tried copying back the EXE from another PC and you could literally watch the file disappear from Explorer within a couple of seconds of being copied. Fail.

This only occurred on this single PC. Everyone here is using VB6 and has the same antivirus, so it is confounding why it happened only to a single person.

Could there be some factor unique to this one PC that caused this? If so (or if not...) how can we work around this?**

Other details:

  • New-ish PC, in use for about 2 weeks
  • VB6 had previously been working
  • Windows 10
  • Symantec Endpoint ver 14, corporate environment / centrally administered

Symantec's docs for WS.Reputation.1:

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

StayOnTarget
  • 11,743
  • 10
  • 52
  • 81
  • 1
    One more reason to avoid Symantec products. The idea of anti-malware making decisions based on a mechanism designed to be gamed through troll clans and bot farms is ridiculous. We get enough of that as it is here at SO from the .Net troll community. – Bob77 May 14 '18 at 18:25
  • But the problem is that it's NOT done that way, no matter what they claim. I have the same problem with a customer, and the program in question existed on exactly two machines on the planet, mine and his. When I tested it on other machines with precisely the same Symantec install, it ran fine. This is apparently based on some internal heuristic about the way the app is installed and where, and has nothing to do with any "reputation". – Maury Markowitz Apr 06 '20 at 19:05
  • I want to say Symantec is a life saver for me.. I downloaded some backdoored files from a shady site which infected all running files on my computer and those infected running files would infect new running files making all files (exe/dll) on my computer corrupted.. no virus scanner could detect this virus not Kaspersky/ESET/NOD32/Avast none of them.. only Symantec and it was also `WS.Reputation.1` I couldn't figure out what kind of virus it was until I compared my file with a backup file using HexCmp and found it added a PE MZ header to the bottom of each file.. and corrupted each files EP – SSpoke May 07 '20 at 06:16
  • 1
    @SSpoke I wasn't dissing Symantec in general. It may be that they have sufficiently improved detection for WSR1 by now. – StayOnTarget May 07 '20 at 12:01

1 Answers1

4

Report this false positive to Symantec to have it properly resolved:

https://submit.symantec.com/false_positive/

I submitted to Symantec and after 1-2 days I received the following reply:

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

File name: VB6.EXE
MD5: 8AC4F5C29334B3C1B667B92EF860023A
SHA256: 971F73C9AC27EF3D50C1AC36D154674AB3A9957F967BFF6A62D5D18A75CFD910
Note: Whitelisting may take up to 24 hours to take effect via Live Update

Since I assume this is a truly global change, perhaps if this works it will work for other people also. However as noted above they may be taking action only for this exact version of the VB6 executable. If other editions of VB6 or various service packs changed this EXE I'm not sure if this will have an effect or not.

The info above pertains to VB6 with SP6 which is labelled "Version 9782" in Help > About.

Note: this did appear to work.

StayOnTarget
  • 11,743
  • 10
  • 52
  • 81
  • Will i have to do this everytime i rebuild the exe? – anandhu Sep 18 '20 at 13:44
  • 1
    @anandhu good question... If they are going on the hash values (md5, etc.) then I would think so. But this might be worth posting as a new question actually. – StayOnTarget Sep 18 '20 at 13:46
  • done! https://stackoverflow.com/questions/63958615/is-symantec-whitelisting-for-fixing-ws-reputation-1-warning-future-proof – anandhu Sep 18 '20 at 15:29