An Open Letter to Symantec Corporation
about 'Suspicious.Insight'

plus two replies to messages received from Symantec
Hermetic Systems

Despite appearances, 'Suspicious.Insight' is not the name of a virus. It is an artificial label invented by Symantec. If Symantec's virus-checker tags a program file as 'Suspicious.Insight' it does this with no basis in observed malicious or nefarious activity, and very likely that file does not contain a virus — and almost certainly if 40+ other virus-checkers report no problem with that file (as is usually the case).

As of April 14, 2010, the cause of this open letter to Symantec has been removed. Symantec's virus-checker on Virustotal is no longer labelling newly submitted programs as infected by 'Suspicious.Insight'.


March 23, 2010

Hermetic Systems is a software developer and publisher which uses reports from Virustotal (as you know, a site which scans uploaded files for the presence of viruses) to confirm for potential purchasers that our software is virus-free.

We recently uploaded to Virustotal installation programs for two of our 25 products, "Chinese Calendrics" and "Hermetic Word Frequency Counter". The results respectively can be seen at:

http://www.virustotal.com/analisis/2a65574eb1598ff562f605ba1788a141b39840905d72d886ca66f10ff5d7fdac-1269175751

and

http://www.virustotal.com/analisis/d7d9c07cd1fa3ea309ea46c8af382526ac92e3206661897a8facfb963988d729-1269175405

In both cases, of the 42 virus-checkers only Symantec's reports our installation programs as containing a virus, which it labels as "Suspicious.Insight".

We wrote to you about this and in your reply you said:

"Detections of Suspicious.Insight type are based on Symantec's reputation-based security technology. Suspicious.Insight is detection for files that have not yet developed a strong reputation among Symantec's community of users and is not based on observed malicious or nefarious activity."

Thus Symantec is flagging our programs in the Virustotal report as containing a virus even though it admits that this "is not based on observed malicious or nefarious activity", so Symantec is doing this despite having *no evidence* that the file contains a virus!

We read at "Suspicious.Insight — Summary"
http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99

"Suspicious.Insight is a detection for files that have not yet developed a strong reputation among Symantec’s community of users. Detections of this type are based on Symantec's reputation-based security technology.

"The reputation-based system uses ‘the wisdom of crowds’ (Symantec's tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

"When detections of this type are triggered in Norton products the user may be warned that the application is unproven, thus allowing the user to make the final decision."

On that web page you say (misleadingly), "Discovered: February 11, 2010". As if this were a virus that you had *discovered*. But by reading further we find that "Suspicious.Insight" is *not* the name of a virus but rather is the name of something you describe as "a detection" — but this is false because nothing is being detected! You admit that it is simply "computing a reputation score" — one based on some unspecified kind of input from users of your own products. It describes this using fluff language such as "the wisdom of crowds" and "cloud-based intelligence" (vague concepts probably originating in your marketing department). This appears to be an admission that you no longer know how to detect the latest viruses by "traditional signatures and behavior-based detection techniques" and so must resort to the unproven (and perhaps ridiculous) "wisdom of crowds".

You claim to "identify malicious software" (and you imply that any program flagged as "suspicious" may contain malicious software) — but this approach *cannot* identify malicious software, because this can only be done on the basis of actual or implicit behavior of the software as revealed by an analysis of its object code (which is what is done by the other 41 virus-detectors that Virustotal uses, and *none* of them report a virus in our software).

Computer users rely on the results of a Virustotal report to make a judgement about a file which has been submitted. They are ill-served by Symantec's report that a program is "unproven" (on what basis are they then "to make a final decision"?) — especially because, when Symantec's verdict given in Virustotal's report simply says "Suspicious.Insight", people who don't know otherwise will see this as your reporting that the program contains a virus called "Suspicious.Insight", when in fact Symantec has not detected a virus at all!

We read at "Suspicious.Insight — Technical Details"
http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99&tabid=2

"The system considers many aspects of a file, including file age, file download source, digital signature, and file prevalence. These attributes are combined using a proprietary algorithm to determine a file’s safety reputation. The system maintains a rating for all files rather than just malicious files. Each software file is given a GOOD, BAD or SUSPICIOUS rating.

"This detection represents a SUSPICIOUS rating which is typically associated with a file that is:
* Very new (typically less than hours or days old)
* In use on very few systems within the Symantec user base"

You admit that Symantec's approach does *not* detect viruses! It simply compiles what you call a "safety reputation" (which can mean anything you want it to mean). This approach is completely bogus, because a program may be "very new" and "in use on very few systems within the Symantec user base" (which is always true of releases of new versions of software) and yet be completely virus-free! Symantec is reporting thousands of files as containing a virus when in fact they do not.

Moreover, it is causing some people — in particular potential purchasers of the products of independent software vendors — to believe that uninfected files are infected with a virus, thereby causing those vendors to lose sales!

The products of independent software vendors are often not widely used and upon release "have not yet developed a strong reputation among Symantec's community of users." This does *not* mean that there is a significant risk that these products may contain malicious code, which is what your tagging them as "Suspicious.Insight" in the Virustotal report insinuates.

In the case of our programs, 41 other virus-detectors did not report any problem, and only Symantec reported a false positive. This is very likely the case with very many programs submitted to Virustotal for confirmation that they are virus-free. When we checked Virustotal's statistics page for today at http://www.virustotal.com/estadisticas.html we found that the "top 10 of infected files (last 24 hours)" showed 33,424 "Suspicious.Insight" infections and the next at 3,255 (so Symantec is reporting files as infected with "Suspicious.Insight" at a rate ten times more than the most-detected real virus). Obviously Symantec's labelling of a file as "Suspicious.Insight" is worthless as regards any indication that the file is malware, and Symantec has become "the boy who cried wolf" of virus detectors.

An occasional false positive in a virus-detector is understandable, but when this happens a good vendor of anti-virus software will immediately identify the problem and quickly modify their software so as to eliminate the false positive. Symantec, on the contrary, has deliberately built false-positive reporting into its virus-detector. It is utterly astounding that Symantec would do this, and destroys any reputation that Symantec currently has as a company whose virus-checker can detect viruses reliably.

Peter Meyer
support@hermetic.ch
Hermetic Systems
http://www.hermetic.ch/

P.S. Symantec has a web page "Suspicious.Insight - Removal" (again misleading as this implies that "Suspicious.Insight" is a virus which can be removed) in which you graciously allow submission of "new applications to the Symantec white-listing program". When we submitted "Chinese Calendrics" for white-listing we received this reply: "We have reanalyzed your program. Unfortunately we still do not have enough information available to us through community sources and our intelligence network to be able to make any determination on the program. The program will remain designated as unproven." (And not just "unproven" but the victim of your false imputation that it is possibly malware.) This is very likely the response that any independent software developer will receive if they request Symantec to white-list their products.


On March 25 I received a message from Kevin Haley, "Director, PM, Symantec Security Technology and Response". I replied as follows:

March 29, 2010

Hello Kevin,

Thanks for your message.

> I wanted to let you know that our reputation system has changed the
> rating of your files and now report them as good. Your files will no
> longer be categorized as Suspicious.Insight or shown as unproven in the
> Norton product.

Thank you. Do you mean the installation programs for *all* of our products?

I note however that the version of Symantec's virus-checker which reported our 'Chinese Calendrics' software and our 'Hermetic Word Frequency Counter' software as infected by 'Suspicious.Insight', as shown at
http://www.virustotal.com/analisis/2a65574eb1598ff562f605ba1788a141b39840905d72d886ca66f10ff5d7fdac-1269175751
and
http://www.virustotal.com/analisis/d7d9c07cd1fa3ea309ea46c8af382526ac92e3206661897a8facfb963988d729-1269175405
and which is still in use at Virustotal, namely, 20091.2.0.41, has not changed.

We have released a new program today, the Annus Novus Date Converter and I uploaded the installation program, andc11_setup.exe, to Virustotal to provide confirmation that it is virus-free. The report is to be seen at
http://www.virustotal.com/analisis/f58aae68e14c00b86da16decff15ffcb6616f76c850dcb4affc44b2cfbf0edbf-1269847394
The report appears to show that this file is infected by 'Suspicious.Insight', though none of the other 41 virus-checkers report a problem.

Do you plan on providing Virustotal with a new version of your virus-checker software which will no longer apparently report to users of Virustotal that our programs (and that of many other virus-free programs from independent software developers) are infected with a virus?

Regards,
Peter Meyer
Hermetic Systems
http://www.hermetic.ch/


On March 30 I received a reply from Kevin Haley, and I replied the same day as follows:

Hello Kevin,

> The Chinese Calendrics program has been fixed. I believe the VirusTotal
> results you included are from 3/21/2010. Doing a check via the hash will
> return cached results. Please try uploading the file itself or check
> the file from within the Norton product.

Sorry, don't have the Norton product (we use Kaspersky -- great program!). But I just re-uploaded chcal1015_setup.exe to Virustotal and, yes, Symantec's 20091.2.0.41 no longer appears to report that it is infected by Insight.Suspicious. Thanks.

So I re-uploaded the other two installation programs that I previously mentioned and Symantec's 20091.2.0.41 is still reporting these as infected:

wfc945_setup.exe
http://www.virustotal.com/analisis/d7d9c07cd1fa3ea309ea46c8af382526ac92e3206661897a8facfb963988d729-1269937695

andc11_setup.exe
http://www.virustotal.com/analisis/f58aae68e14c00b86da16decff15ffcb6616f76c850dcb4affc44b2cfbf0edbf-1269937872

> I cannot find a record of the Hermetic Word Frequency Counter program
> being submitted to us.

It was not submitted. After the negative response (initially) to my submission for 'Chinese Calendrics' I did not submit anything for WFC.

> If there is an issue with other files the dispute process is set up to
> be the fastest way to resolve issues. But I am happy to help as well.
> We do have a white listing program which may be a good way to address
> all your programs at once, instead of piecemeal. Information is here:
> https://submit.symantec.com/whitelist/

This page appears to accept only applications for single programs, or new versions of single programs, not for all programs by a particular vendor.

>But if you have a large number of files I can help you speed
>up the submission process.

We have about 25 programs. If a bug is found and fixed, or some other improvement is made, then we release a new version asap. We don't want to have to request Symantec to whitelist every new version we release, and there is no good reason why we should.

I'd like to remind you that it is Symantec that is creating a problem for independent software developers (namely, harming their sales) by apparently reporting to users of Virustotal that every new product or new version that a vendor releases is infected by 'Suspicious.Insight', when in fact Symantec in almost all cases has *no evidence* at all to support such a claim, and Symantec is well aware of this.

> A suspicious.insight categorization indicates that a file has not yet
> developed a reputation. I view it as a warning, not a conviction.

You may view it that way, but that's not how a user of Virustotal see it. Such a user sees a report by 42 or so virus-checking programs as to whether they have detected a virus or not, and if so, they provide the name of the virus. When Symantec tags a program as 'Suspicious.Insight' then a user will naturally intepret this as Symantec claiming that the program is infected by a virus called 'Suspicious.Insight'. If they see it this way then obviously they will not consider purchasing the software, in which case Symantec has caused the vendor to lose a sale. I don't see that this is difficult to understand.

So to put it briefly, Symantec's tagging of all new products from independent software developers, and all new versions of products, as apparently infected by a virus is damaging to the business of those software vendors, pure and simple. Furthermore, it is damaging to the reputation of Symantec, because you are apparently reporting viruses in programs without any basis in fact for such a claim, and thus deliberately reporting many thousands of false positives.

Therefore I suggest that Symantec stop this practice for everyone's benefit. If you wish to retain this in the Norton product (where users can read your explanation) then that is for you to decide (though I don't see that this will enhance the reputation of your product), but you should certainly stop doing this in the Virustotal reports for the reasons I gave above.

Regards,
Peter Meyer
Hermetic Systems
http://www.hermetic.ch/

I received no reply to this message. However it seems that Symantec finally realized their mistake, and as of April 14, 2010, Symantec's virus-checker on Virustotal is no longer labelling newly submitted programs as infected by 'Suspicious.Insight'.

Hermetic Systems Home Page