FileRepMalware in Norton (windows installer)

[ramsus-menu]

Hi guys, can someone help me with this?

Translation

Threat neutralized

Threat name: FileRepMalware
Status: Moved to Quarantine
Options: Report as a false positive
Detected by: Auto-Protect
On the computer since: 10/10/2024 02:44
Last used: 24/10/2024 14:40
Startup item: No

Very few: Very few people in the Norton community have used this file.

New: This file was released 15 days ago.

High: The risk of this file is high.

Check for new ratings

Additional message:
We moved the StabilityMatrix.exe file to Quarantine because it was infected with FileRepMalware.

[mohnjiles]

The answer is right there:
FileRepMalware

Very few: Very few people in the Norton community have used this file.
New: This file was released 15 days ago.

It's because we don't pay extortion fees for an EV code signing certificate. The new version just doesn't have enough "reputation" from Norton users yet, because most people just use Windows Defender these days.

[ramsus-menu]

I don’t mean to offend or criticize this great tool, I’m just trying to understand this better. Since the file doesn’t have an established reputation, does Norton assign a random malware label to it to make us more cautious? Is that how it works? Thanks a lot for your help! Would you say this is a false positive?

[mohnjiles]

Not necessarily, the label is "FileRepMalware", which typically means:

• The file exhibits suspicious activity. It may attempt to replicate itself, modify system files, or communicate with suspicious servers.
• The file does not have a signature or is signed by a publisher that the antivirus program does not trust.
• The file has not been added to the antivirus clean set (the allowlist of harmless files).
• The file is not well known — very few people have tried to download, launch, or use it.

And the reasons we're triggering these:

• All our releases exhibit "suspicious" activity because most AVs consider downloading Python to be suspicious.
• None of our Windows executables are signed due to the aforementioned extortion fees
• We do not submit our files to AV vendors for whitelisting
• Since it's a new release, obviously the file is not well known.

So not really a false positive since it labelled it as the generic "FileRepMalware", any similar program that's not signed & does "suspicious" behaviour will trigger this as well; in my opinion it's all part of the code signing bs to scare users away so that we will pay several hundred dollars for a code signing certificate to make the warnings go away.

[ramsus-menu]

Thank you, Mohnjiles, for sharing your knowledge and for your patience!