Installing of Yohoho! with symantec endpoint protection reports app exe as malicious and as a security risk

RESOLVED WORKSFORME

Status

RESOLVED WORKSFORME
7 years ago
4 years ago

People

(Reporter: jsmith, Unassigned)

Tracking

Details

Attachments

(5 attachments)

(Reporter)

Description

7 years ago
Created attachment 634246 [details]
Symantec Endpoint Protection Error

Customer feedback report indicated that he installed an app called Yohoho! which resulted in sending an error to the user that the exe installed on the machine was malicious and a security risk. See screenshot. Needs more investigation to determine root cause.
(Reporter)

Updated

7 years ago
Keywords: qawanted
Do we have a way to contact this user to know if this is the only app that he tried to install or if other apps were allowed?
(Reporter)

Comment 2

7 years ago
(In reply to Felipe Gomes (:felipe) from comment #1)
> Do we have a way to contact this user to know if this is the only app that
> he tried to install or if other apps were allowed?

Yup. Just cc-ed the person who reported the issue. Ahmad - Could you help address the question in comment 1?

Comment 3

7 years ago
(In reply to Felipe Gomes (:felipe) from comment #1)
> Do we have a way to contact this user to know if this is the only app that
> he tried to install or if other apps were allowed?

Hello felipe, 

I dont really sure how its happen. Yohoho! is actually my first paid web apps on Moz Marketplace. I've been installing several free apps and no problem happen with my Antivirus.

FYI, I'm using Symantec Endpoint Protection 12.1 64bit Edition on Windows 7 Ultimate 64bit.

Maybe its just false detection by Symantec. After several digging in Symantec Site, i found this:
--
Behavior
WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

--

After several attemp installing Yohoho! again, I managed to install the apps. have tried in several laptop with symantec installed and Its good to go.


Regards,

Comment 4

7 years ago
I've been thinking.. does every apps installed from moz Marketplace have to be exe fileformat in windows? From my experience, several office have a policy that restrict to download exe fileformat from internet in their network. it might be troublesome for several people.

just my 2cents.


Regards,
(Reporter)

Updated

7 years ago
QA Contact: jsmith
(Reporter)

Comment 5

7 years ago
Kev - Do we have contact at Symantec that I could ask why the way to we do app management in a Windows roaming profile causes Symantec to report the error the user has seen? Are there any mitigations we need to do on our end? Any mitigations on the antivirus end? Trying to figure out if our current web apps implementation could risk flagging antiviruses or not and what we should do about it.
(Reporter)

Comment 6

7 years ago
Removing qawanted - this sounds like a tech evangelism web apps bug. Kev or Tomcat - Thoughts?
Assignee: nobody → english-us
Component: Web Apps → English US
Keywords: qawanted
Product: Firefox → Tech Evangelism
QA Contact: jsmith
seems Symantec has a form up for such insight false positive cases -> https://submit.symantec.com/false_positive/insight/?w=1 

Kev shall i fill out that form or do we have better contacts a symantec
Are we signing the webruntime exe?
(Reporter)

Comment 9

7 years ago
(In reply to Kev [:kev] Needham from comment #8)
> Are we signing the webruntime exe?

Good question. Felipe, Tim, or Myk?
Latest Windows nightlies created signed apps, so it'd be good to understand what version of Fx the reporter is using, and to have them check their app (in ~/AppData/Roaming/<origin>) to see if the .exe is signed. I'd like to understand if the app reported was signed or not, because if it's not that can be a trigger. The app I installed today had what appeared to be a valid code signing cert from Symantec.
Sorry, hit save changes too soon. If the app is signed with a valid cert, or if we're seeing this elsewhere, I can reach out to the Symantec detection team. Need more info, and I'll get Norton on a test box as well to see if it can be easily repro'd (Tomcat, if you can do the same that'd be great)
(Reporter)

Comment 12

7 years ago
I confirmed as well that the app exes appear to be signed.

Ahmad, can you check if the executable for Yohoho! is signed? To do this, do the following:

1. Right click on the shortcut on your desktop to Yohoho! and select properties
2. Go to Shortcut Tab and click "Open File Location"
3. Right click on the executable for Yohoho and select properties
4. Go to the tab "Digital Signatures"
5. Check to see if there a signature in that list named "Mozilla Corporation"

Comment 13

7 years ago
Created attachment 643388 [details]
Yohoho! exe detail properties

this is what the file properties have on my Win 7 Professional 64 bit.

as i report before, looks like exe file has been 'normal' after several trying to install it. I wondering, if this issue happened to anyone else?
Attachment #643388 - Flags: review+
(Reporter)

Comment 14

7 years ago
(In reply to Ahmad Sarjono from comment #13)
> Created attachment 643388 [details]
> Yohoho! exe detail properties
> 
> this is what the file properties have on my Win 7 Professional 64 bit.
> 
> as i report before, looks like exe file has been 'normal' after several
> trying to install it. I wondering, if this issue happened to anyone else?

Ahmad, in that Yohoho! exe properties, can you look at the security tab specifically? Does it show a signature named "Mozilla Corporation?"

Comment 15

7 years ago
Created attachment 643715 [details]
security tab

this is what security tab looks like
IMHO, in windows 7.. all information regarding file information is in "detail tab"
(Reporter)

Comment 16

7 years ago
(In reply to Kev [:kev] Needham from comment #11)
> Sorry, hit save changes too soon. If the app is signed with a valid cert, or
> if we're seeing this elsewhere, I can reach out to the Symantec detection
> team. Need more info, and I'll get Norton on a test box as well to see if it
> can be easily repro'd (Tomcat, if you can do the same that'd be great)

Kev - Does these two screenshots help? Or is there more info needed here?
Created attachment 643813 [details]
screenshot from a signed file

(In reply to Jason Smith [:jsmith] from comment #16)
> (In reply to Kev [:kev] Needham from comment #11)
> > Sorry, hit save changes too soon. If the app is signed with a valid cert, or
> > if we're seeing this elsewhere, I can reach out to the Symantec detection
> > team. Need more info, and I'll get Norton on a test box as well to see if it
> > can be easily repro'd (Tomcat, if you can do the same that'd be great)
> 
> Kev - Does these two screenshots help? Or is there more info needed here?

Seems the file is not signed - see attachment of a signed file there is the "digital signature" tab where the signing information (issuer etc) is displayed.

Comment 18

7 years ago
Created attachment 644210 [details]
here's the latest screenshot

I've managed to install Yohoho! at another PC and looks like this one had Digital Signature on it.
Ok checked the file from marketplace and its signed with a valid signature etc - also a virustotal scan showed no error/flagged as virus/malware.

So is this now fixed?
(Reporter)

Comment 20

7 years ago
(In reply to Carsten Book [:Tomcat] from comment #19)
> Ok checked the file from marketplace and its signed with a valid signature
> etc - also a virustotal scan showed no error/flagged as virus/malware.
> 
> So is this now fixed?

Possibly. I'd say let's close this ticket for now as it does not seem to happen on the user's machine anymore. If we see another issue pop up, then let's handle it on a case by case basis.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.