Discovered: January 29, 2010
Updated: February 15, 2010 3:03:06 AM
Systems Affected: Windows
Suspicious.Insight is a detection for files that have not yet developed a strong reputation among Symantec’s community of users. Detections of this type are based on Symantec’s reputation-based security technology.
The reputation-based system uses “the wisdom of crowds” (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.
When detections of this type are triggered in Norton products the user may be warned that the application is unproven, thus allowing the user to make the final decision. Future versions of Symantec's Endpoint Protection products will include this functionality. When used in these products, administrators will be able to configure blocking policies based on their specific tolerance for risk.
Today, the vast majority of malware is generated in real-time on a per-victim basis, which means that each such malicious program will be rated as being entirely new and low-prevalence by a reputation-based system. In contrast, most legitimate software has vastly different characteristics – it often comes from known publishers, has high adoption rates, shares much in common with earlier versions of the software, and so on. The Suspicious.Insight detection, therefore, is meant to inform the user that a given application is unproven and not yet well known to Symantec’s tens of millions of users.
For more information :
The following resources provide more information about Symantec’s reputation-based security system.
Article: How Reputation-based Software Transforms the War on Malware
Blog: Not all Reputation Technologies are Created Equal
Blog: Norton Internet Security 2010 – Download Insight
Blog: The New Model of Consumer Protection: Reputation-based Security
Product Tutorial: How To Use Norton Download Insight
Symantec’s antivirus products contain a highly sensitive detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. You can submit files detected as suspicious to Symantec Security Response for further categorization. For instructions on how to do this, read Submit Virus Samples
What to do in case of suspected erroneous detection (false positive) In rare cases where a legitimate file is misidentified and subsequently quarantined, your computer may behave abnormally or you may find that one or more applications no longer function as expected. In such rare situations, you should open the Quarantine in your Symantec antivirus product and review the list of files detected as suspicious. If you identify a potential misidentification, restore the file from Quarantine and allow it to run normally in order to regain the functionality of your computer or application.
Suspected false-positive detections can be reported to Symantec using our false-positive detection reporting page to contribute to the effectiveness of our product.