WS.Reputation1 Detection Meaning and Options for Resolving Issue with Symantec Endpoint Protection 14.0+

book

Article ID: 191764

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When using Symantec Endpoint Protection, customers often will run into WS.Reputation1 detections on legitimate files/exe/msi from trusted vendors. Depending on policy settings, these files often get placed into Quarantine for example.

Cause

In this specific situation, the WS.Reputation1 detection is not an indicator of a threat in the sense of traditional anti-virus/malware detections. This detection is from the Endpoint Protection Insight feature that is simply trying to convey that the file's reputation within the larger Broadcom community is not trusted based on the information on hand to be able to tell if the file is trustworthy. 

The most common cause of this is a change to the program, such as a new version of an application. When the new application is released, Endpoint Protection (typical setup) will look up the file from the Broadcom Insight database and determine that the file is too new or doesn't have enough usage to determine if the file is trustworthy. However, this does not indicate that the file is a threat, only that it is not trusted based on the prevalence in the larger Broadcom community based on usage, age, and other factors.

However, the WS.Reputation1 detection can and will effectively catch new legitimate threats in the wild, so please only follow this KB if you are 100% sure that the software being detected is legitimate and was supplied from a valid, trustworthy source. 

Resolution

There are several ways to resolve this type of situation. 

1. Add the file(s) digital signature to the Exceptions Policy.

The best option is to check if the files are digitally signed by the manufacturer. If the file(s) is signed, the signing certificate can be exported from the file(s) and loaded into the Symantec Endpoint Protection Manager under Policies > Exceptions > Windows Exceptions > Certificate.

By importing the digital signature of the file (certificate), all software from the vendor that is also signed with this same digital signature/certificate is trusted for this type of reputation detection. This method of mitigating the WS.Reputation1 detections in no way affects the other modules/layers of Endpoint Protection should the file be a threat or behave in inappropriate ways. These issues should still be detected and stopped via Endpoint Protection.  

Note: There is a secondary benefit to using/insisting on signed software from vendors. The act of digitally signing also allows the operating system to check the file(s) for integrity verification. If the file hash doesn't match the digital signature calculated hash, this can be an indication of tampering or other potentially malicious activities with the file(s). Broadcom always recommends that all customers use digitally signed software for this reason. If the software is internally developed, the same recommendation applies, please sign the software and import the certificate into the SEPM. 

Please see the Additional Information section for information on how to extract an X.509 certificate from a signed software package/file for this purpose. 

2. Submit the file(s) to Broadcom as a False Positive (FP) for review. 

Please see the following Broadcom KB article for instructions on this method. https://knowledge.broadcom.com/external/article?legacyId=TECH98360

Note: While this is a valid option for resolving the issue at the time of detection, it may not be effective long term. This is because if the file(s) may change enough over time where the original whitelisting is no longer effective. This happens because the file(s) is no longer recognized as the sample that was whitelisted and may be detected again. 

3. Release the file(s) from Quarantine and allow them to run. 

This is a viable option, but only if the other two methods above are unsuitable for some reason, and should be used with caution.

Additional Information

How to extract a digital signature/certificate from a signed software file/package: https://knowledge.broadcom.com/external/article?articleId=191787

Broadcom Employees: Additional information on this KB is contained in the Internal Notes section of the article.