Closed Bug 765979 Opened 12 years ago Closed 12 years ago

Installing of Yohoho! with symantec endpoint protection reports app exe as malicious and as a security risk

Categories

(Tech Evangelism Graveyard :: English US, defect)

Product:
Tech Evangelism Graveyard
Component:
English US
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jsmith, Unassigned)

Details

Attachments

(5 files)

Symantec Endpoint Protection Error
40.18 KB, image/png
Details
Yohoho! exe detail properties
55.69 KB, image/jpeg
Details
security tab
60.72 KB, image/jpeg
Details
screenshot from a signed file
27.76 KB, image/png
Details
here's the latest screenshot
47.39 KB, image/jpeg
Details 
Customer feedback report indicated that he installed an app called Yohoho! which resulted in sending an error to the user that the exe installed on the machine was malicious and a security risk. See screenshot. Needs more investigation to determine root cause.
Keywords: qawanted
Do we have a way to contact this user to know if this is the only app that he tried to install or if other apps were allowed?
(In reply to Felipe Gomes (:felipe) from comment #1)
> Do we have a way to contact this user to know if this is the only app that
> he tried to install or if other apps were allowed?

Yup. Just cc-ed the person who reported the issue. Ahmad - Could you help address the question in comment 1?
(In reply to Felipe Gomes (:felipe) from comment #1)
> Do we have a way to contact this user to know if this is the only app that
> he tried to install or if other apps were allowed?

Hello felipe, 

I dont really sure how its happen. Yohoho! is actually my first paid web apps on Moz Marketplace. I've been installing several free apps and no problem happen with my Antivirus.

FYI, I'm using Symantec Endpoint Protection 12.1 64bit Edition on Windows 7 Ultimate 64bit.

Maybe its just false detection by Symantec. After several digging in Symantec Site, i found this:
--
Behavior
WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

--

After several attemp installing Yohoho! again, I managed to install the apps. have tried in several laptop with symantec installed and Its good to go.


Regards,
I've been thinking.. does every apps installed from moz Marketplace have to be exe fileformat in windows? From my experience, several office have a policy that restrict to download exe fileformat from internet in their network. it might be troublesome for several people.

just my 2cents.


Regards,
QA Contact: jsmith
Kev - Do we have contact at Symantec that I could ask why the way to we do app management in a Windows roaming profile causes Symantec to report the error the user has seen? Are there any mitigations we need to do on our end? Any mitigations on the antivirus end? Trying to figure out if our current web apps implementation could risk flagging antiviruses or not and what we should do about it.
Removing qawanted - this sounds like a tech evangelism web apps bug. Kev or Tomcat - Thoughts?
Assignee: nobody → english-us
Component: Web Apps → English US
Keywords: qawanted
Product: Firefox → Tech Evangelism
QA Contact: jsmith
seems Symantec has a form up for such insight false positive cases -> https://submit.symantec.com/false_positive/insight/?w=1 

Kev shall i fill out that form or do we have better contacts a symantec
Are we signing the webruntime exe?
(In reply to Kev [:kev] Needham from comment #8)
> Are we signing the webruntime exe?

Good question. Felipe, Tim, or Myk?
Latest Windows nightlies created signed apps, so it'd be good to understand what version of Fx the reporter is using, and to have them check their app (in ~/AppData/Roaming/<origin>) to see if the .exe is signed. I'd like to understand if the app reported was signed or not, because if it's not that can be a trigger. The app I installed today had what appeared to be a valid code signing cert from Symantec.
Sorry, hit save changes too soon. If the app is signed with a valid cert, or if we're seeing this elsewhere, I can reach out to the Symantec detection team. Need more info, and I'll get Norton on a test box as well to see if it can be easily repro'd (Tomcat, if you can do the same that'd be great)
I confirmed as well that the app exes appear to be signed.

Ahmad, can you check if the executable for Yohoho! is signed? To do this, do the following:

1. Right click on the shortcut on your desktop to Yohoho! and select properties
2. Go to Shortcut Tab and click "Open File Location"
3. Right click on the executable for Yohoho and select properties
4. Go to the tab "Digital Signatures"
5. Check to see if there a signature in that list named "Mozilla Corporation"
this is what the file properties have on my Win 7 Professional 64 bit.

as i report before, looks like exe file has been 'normal' after several trying to install it. I wondering, if this issue happened to anyone else?
Attachment #643388 - Flags: review+
Attachment #643388 - Flags: review+
(In reply to Ahmad Sarjono from comment #13)
> Created attachment 643388 [details]
> Yohoho! exe detail properties
> 
> this is what the file properties have on my Win 7 Professional 64 bit.
> 
> as i report before, looks like exe file has been 'normal' after several
> trying to install it. I wondering, if this issue happened to anyone else?

Ahmad, in that Yohoho! exe properties, can you look at the security tab specifically? Does it show a signature named "Mozilla Corporation?"
Attached image security tab 
this is what security tab looks like
IMHO, in windows 7.. all information regarding file information is in "detail tab"
(In reply to Kev [:kev] Needham from comment #11)
> Sorry, hit save changes too soon. If the app is signed with a valid cert, or
> if we're seeing this elsewhere, I can reach out to the Symantec detection
> team. Need more info, and I'll get Norton on a test box as well to see if it
> can be easily repro'd (Tomcat, if you can do the same that'd be great)

Kev - Does these two screenshots help? Or is there more info needed here?
(In reply to Jason Smith [:jsmith] from comment #16)
> (In reply to Kev [:kev] Needham from comment #11)
> > Sorry, hit save changes too soon. If the app is signed with a valid cert, or
> > if we're seeing this elsewhere, I can reach out to the Symantec detection
> > team. Need more info, and I'll get Norton on a test box as well to see if it
> > can be easily repro'd (Tomcat, if you can do the same that'd be great)
> 
> Kev - Does these two screenshots help? Or is there more info needed here?

Seems the file is not signed - see attachment of a signed file there is the "digital signature" tab where the signing information (issuer etc) is displayed.
I've managed to install Yohoho! at another PC and looks like this one had Digital Signature on it.
Ok checked the file from marketplace and its signed with a valid signature etc - also a virustotal scan showed no error/flagged as virus/malware.

So is this now fixed?
(In reply to Carsten Book [:Tomcat] from comment #19)
> Ok checked the file from marketplace and its signed with a valid signature
> etc - also a virustotal scan showed no error/flagged as virus/malware.
> 
> So is this now fixed?

Possibly. I'd say let's close this ticket for now as it does not seem to happen on the user's machine anymore. If we see another issue pop up, then let's handle it on a case by case basis.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: