When using Symantec Endpoint Protection (SEP), the SEP client may log WS.Reputation.1 detections on legitimate executable files or installers from trusted vendors. Depending on policy settings, these files may be quarantined or deleted.

The WS.Reputation.1 detection indicates a suspicious file and not a traditional anti-virus/malware detection. This SEP detection is from the Insight (File Reputation) feature of the SEP client. This detection conveys that the file's global reputation within the larger Broadcom community is not yet trusted based on information such as age, hash, and number of times seen. 

The most common cause of this is a change to the file, such as a new version of an application. When the new application version is deployed to a SEP endpoint, SEP client will look up the file from the Broadcom Insight database. If the file is too new or doesn't have enough usage to determine if the file is trustworthy, the SEP client returns a detection of WS.Reputation.1. However, this does not indicate that the file is a threat, only that it is not trusted based on the prevalence in the larger Broadcom community based on usage, age, and other factors.

However, the WS.Reputation.1 detection can and will effectively catch new legitimate threats in the wild, so please only follow this KB if you are 100% sure that the software being detected is legitimate and was supplied from a valid, trustworthy source. 

There are several ways to resolve this type of situation. 

• Add the digital signature of the file(s) to the Exceptions Policy
  
  
• Submit the file(s) to Broadcom as a False Positive (FP) for review
  
  
• Release the file(s) from Quarantine and allow them to run
  NOTE: This is a viable option, but only if the other two methods above are unsuitable for some reason, and should be used with caution.

To add the digital signature of the file(s) to the Exceptions Policy

To extract a digital signature/certificate from a signed software file/package: How to extract a digital signature/certificate from a signed software file/package

If the file(s) detected as WS.Reputation1 is/are signed, the signing certificate can be exported from the file(s) and loaded into the Symantec Endpoint Protection Manager under Policies > Exceptions > Windows Exceptions > Certificate.

By importing the digital signature of the file (certificate), all software from the vendor that is also signed with this same digital signature/certificate is trusted for this type of file reputation detection. This method of mitigating the WS.Reputation1 detections in no way affects other modules/layers of SEP client. In the event the file behaves in inappropriate ways, SEP should still detect and stop questionable or malicious behaviors.  

NOTE: There is a secondary benefit to using/insisting on signed software from vendors. The act of digitally signing also allows the Windows operating system to check the file(s) for integrity verification. If the file hash doesn't match the digital signature calculated hash, this can be an indication of tampering or other potentially malicious activities with the file(s). Broadcom always recommends that all customers use digitally signed software for this reason. If the software is internally developed, the same recommendation applies. Please sign the software and import the certificate into the SEPM.  

To submit the file(s) to Broadcom as a False Positive (FP) for review

• For instructions on this method, please see:. Submit false positives incorrectly detected by Endpoint Protection

NOTE: While this is a valid option for resolving the issue at the time of detection, it may not be effective long term. This is because if the file(s) may change enough over time where the original whitelisting is no longer effective. This happens because the file(s) is no longer recognized as the sample that was whitelisted and may be detected again. 

To release a file from the SEP quarantine

• Please see: Restoring a false positive file detection from the Endpoint Protection quarantine

NOTES:

• Any detection name which contains "WS" (WS.Malware.2, WS.Viral.1, WS.SecurityRisk.3, etc) is also related to Reputation/Insight.  The information in this article will be applicable.
• False Positives (FP) for WS.Reputation.1 are corrected "in the cloud" and do not rely upon the customer downloading new definitions.  These corrections take place almost immediately.