incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Symantec WS.Reputation.1 Errors: What we can do
Date Fri, 02 Mar 2012 21:39:43 GMT
On Fri, Mar 2, 2012 at 4:15 PM, Dennis E. Hamilton
<> wrote:
> Out of curiosity I just did another download of the OOo-dev 3.4 Windows "MSI" r1293550
to see if the popularity contest had been won yet.
> Not yet.
>  The Internet Explorer 9 download warning is "OOo-Dev-OOO340m1_Win_x86_install_en-US.exe
is not commonly downloaded and could harm your computer."  The file is already downloaded
at that point, however.  The options are Delete, Actions, and View downloads (opening a separate
tool that shows downloads and status).  The Actions option includes "Don't run this program
(recommended)", "Delete", and "Run Anyway."
>  A "Run Anyway" or a later execution of the downloaded .exe will provoke an User Account
Control message (on default configurations, even for administrator accounts) that warns that
the file is from an unknown source (that is, the .EXE is not signed) and that it was downloaded
from the Internet.
> I also did a custom scan of the single download file using Microsoft Security Essentials.
 The scan (which is programmed to dig into these files) identified 51916 individual items
and no threats.
> All of this is tolerable and arguably appropriate for developer snapshots.  Users who
use these builds need to rely on their own judgment about the trustworthiness of the origin
and the content of those files.
> Note that it is the .exe that needs to be signed.  This should not be confused with
a .msi file, although I assume those can be signed also.  Apache OpenOffice does not use
.msi as the packaged binary that is downloaded.  (It appears that LibreOffice has changed
that.)  It strikes me that using external digest values (md5 and sh1 digests) on the download
requires a super-user skill set and should not be the only thing relied upon for project binary

Yes,MSI's can be installed and are required to be signed for some
distribution paths.  Generally you want to sign what you distribute.
Don't expect the I.E. or your anti-virus is going to deflate a 200 MB
archive to see if some EXE inside is signed.  (And then what about the
DLL's?)  We should be signing the whole enchilada.


> -----Original Message-----
> From: Dennis E. Hamilton []
> Sent: Friday, March 02, 2012 11:19
> To:
> Subject: RE: Symantec WS.Reputation.1 Errors: What we can do
> The web-based downloader in Internet Explorer 9 also warns about the .exe files (not
the tar.gz or Zip ones).  The message is clearly a no-reputation-yet warning.
> This is an on-line check.  When the file is known to be regularly downloaded, the report
will change automatically.
> I have seen no AV warnings about the downloaded files themselves, although there is a
standard OS warning on use of such files when they were downloaded from the internet and/or
are not signed.  (In Windows 8 Consumer Preview, it is necessary to click "details" to see
that there is a "Run anyhow" selection.)
> I saw no AV warnings after the installation on any systems having Microsoft Malware detection
and regularly-updated Windows Security Essentials.
>  - Dennis
> -----Original Message-----
> From: Rob Weir []
> Sent: Friday, March 02, 2012 07:00
> To:
> Subject: Symantec WS.Reputation.1 Errors: What we can do
> Several testers have mentioned this anti-virus error when installing
> the AOO 3.4 dev snapshot build.   This is not a virus.
> "WS.Reputation" errors come from Symantec Antivirus based on their
> "reputation-based" threat assessments.  Essentially, they evaluate
> software that you are about to install according to a range of
> factors, including how new the file is, how many other people have
> installed it, whether the installer is digitally signed, etc.  It is
> not just one factor, but a proprietary mix of weighted factors.
> We're probably getting penalized based on several of these factors.
> Note that with the final AOO 3.4 release we'll be in the same
> position, since that installer will also be new,etc.
> A few things we should consider doing:
> 1) Make sure the readme file and install instructions cover this case
> and explain what the user should do, e.g. "Run anyways"
> 2) We can make a request to Symantec to "whitelist" our installer.
> This takes a couple of weeks for them to process.  And we can';t start
> this work in advance since they need the SHA-256 hash of our
> installer:
> 3) We could digitally sign our Windows installers.   Apache already
> requires a detached signature.  But Symantec has no idea about these.
> We need traditional Windows exe code signing.  This will help us with
> Windows 8 as well.  So it is something we probably want to look into
> at some point.
> My recommendation:
> Plan on doing 1.  Do 2. as soon as we have a release.  Look into 3. for AOO 4.0.
> Regards,
> -Rob

View raw message