incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Roberts <lookfortherab...@yahoo.com>
Subject Re: Symantec WS.Reputation.1 Errors: What we can do
Date Fri, 02 Mar 2012 16:29:27 GMT
Rob,
 
I agree with this plan with some additional detail into action point 1. The user can't just
"run anyways" as the virus software will quarantine and remove the software until you get
the reputation promoted. The user must manually go into the error log and override then restore
the threat manually. I think this is a little to much to ask of a normal user of applications
designed to be used by grandma Jones in Kansas. They just don't have the technical aptitude
to perform this kind of operation. But for the folks that are testing and developing this
plan would work prior to release.
 
Greg


________________________________
From: Rob Weir <robweir@apache.org>
To: ooo-dev@incubator.apache.org 
Sent: Friday, March 2, 2012 7:00 AM
Subject: Symantec WS.Reputation.1 Errors: What we can do

Several testers have mentioned this anti-virus error when installing
the AOO 3.4 dev snapshot build.  This is not a virus.
"WS.Reputation" errors come from Symantec Antivirus based on their
"reputation-based" threat assessments.  Essentially, they evaluate
software that you are about to install according to a range of
factors, including how new the file is, how many other people have
installed it, whether the installer is digitally signed, etc.  It is
not just one factor, but a proprietary mix of weighted factors.

We're probably getting penalized based on several of these factors.
Note that with the final AOO 3.4 release we'll be in the same
position, since that installer will also be new,etc.

A few things we should consider doing:

1) Make sure the readme file and install instructions cover this case
and explain what the user should do, e.g. "Run anyways"

2) We can make a request to Symantec to "whitelist" our installer.
This takes a couple of weeks for them to process.  And we can';t start
this work in advance since they need the SHA-256 hash of our
installer:

https://submit.symantec.com/whitelist/isv/

3) We could digitally sign our Windows installers.  Apache already
requires a detached signature.  But Symantec has no idea about these.
We need traditional Windows exe code signing.  This will help us with
Windows 8 as well.  So it is something we probably want to look into
at some point.

My recommendation:

Plan on doing 1.  Do 2. as soon as we have a release.  Look into 3. for AOO 4.0.

Regards,

-Rob
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message