This file has a bad reputation?

Posted by HTML-Kit Support July 19, 2012

I've gotten several reports from HTML-Kit users about Norton security software removing HTML-Kit setup files. In short, this is a false positive. But here's a long explanation of what's happening.

One of the relatively new trends in security software is a cloud-based file scoring/reputation system. If a program is not widely used, then it's assumed to have a high risk (even if there's no actual problem with the program).

You may have seen this in action if you've seen a warning like "WS.Reputation.1" (Symantec/Norton Security software), "this file isn't commonly downloaded" (IE SmartScreen Filter), or "this file appears malicious" (Chrome).

The intention here is good -- warn people when they try to download a program that hasn't already been downloaded by a lot of other people.

The problem is that this hurts independent software developers.

HTML-Kit is a frequently updated program. Each time it's updated, its file signature looks new to security software and so they think that HTML-Kit has never been seen before or has a low reputation. Then they warn potential users that it's risky to download it. Again, this happens even when a program doesn't pose any security threat at all.

Of course a program's reputation won't go up until enough computers running a given security software report back to their individual cloud how many times a program has been downloaded, which creates somewhat of a chicken and egg problem.

If you've run into this problem while trying to install HTML-Kit, or want to double check the program before installing, you can run a third-party scan of HTML-Kit. As always, please feel free to contact me or post on the forum if you have any further questions or concerns.

I'll end this post with quotes from other software developers running into this issue.

As Steven Kelly says in his blog:

Google Chrome's 'this file appears malicious' warnings are false and unfounded in too many cases. Similar problems exist with IE, and some anti-virus software. Their tests include two factors that have nothing to do with whether the code is malicious: packed executable, and low number of previous downloads.

A quote from Andreas Löw's blog entry "WS.Reputation.1 or How Symantec ruins independent developers" on 23-Jun-2012:

"Symantec blocks a TexturePacker updates from being installed because they say it has a 'bad reputation'" Well - it's a new update - which is why nobody was able to install it yet. And nobody will install it because Symantec tells people not to do so... Since nobody does install it the reputation is low - which causes Symantec to warn people about installing it...
comments powered by Disqus