The web-based downloader in Internet Explorer 9 also warns about the .exe files (not the tar.gz or Zip ones). The message is clearly a no-reputation-yet warning.
This is an on-line check. When the file is known to be regularly downloaded, the report will change automatically. I have seen no AV warnings about the downloaded files themselves, although there is a standard OS warning on use of such files when they were downloaded from the internet and/or are not signed. (In Windows 8 Consumer Preview, it is necessary to click "details" to see that there is a "Run anyhow" selection.) I saw no AV warnings after the installation on any systems having Microsoft Malware detection and regularly-updated Windows Security Essentials. - Dennis -----Original Message----- From: Rob Weir [mailto:[email protected]] Sent: Friday, March 02, 2012 07:00 To: [email protected] Subject: Symantec WS.Reputation.1 Errors: What we can do Several testers have mentioned this anti-virus error when installing the AOO 3.4 dev snapshot build. This is not a virus. "WS.Reputation" errors come from Symantec Antivirus based on their "reputation-based" threat assessments. Essentially, they evaluate software that you are about to install according to a range of factors, including how new the file is, how many other people have installed it, whether the installer is digitally signed, etc. It is not just one factor, but a proprietary mix of weighted factors. We're probably getting penalized based on several of these factors. Note that with the final AOO 3.4 release we'll be in the same position, since that installer will also be new,etc. A few things we should consider doing: 1) Make sure the readme file and install instructions cover this case and explain what the user should do, e.g. "Run anyways" 2) We can make a request to Symantec to "whitelist" our installer. This takes a couple of weeks for them to process. And we can';t start this work in advance since they need the SHA-256 hash of our installer: https://submit.symantec.com/whitelist/isv/ 3) We could digitally sign our Windows installers. Apache already requires a detached signature. But Symantec has no idea about these. We need traditional Windows exe code signing. This will help us with Windows 8 as well. So it is something we probably want to look into at some point. My recommendation: Plan on doing 1. Do 2. as soon as we have a release. Look into 3. for AOO 4.0. Regards, -Rob
