A while ago I got an e-mail from a customer that had just bought Mini-Compressor (which I think is the best image compression software in the world but I’m a bit biased) but was getting warning from Norton when he tried to install it. The warning he was getting was Suspicious.Cloud.5.D. This is a low level warning from Norton that a file is suspicious but could also be a false positive. I quickly double checked that the website had not been compromised. To be on the safe side I downloaded and scanned Mini-Compressor with both Windows Defender and Malwarebytes. Neither reported any errors.
I e-mailed the fellow back with my findings and asked him to disable Norton when he installed Mini-Compressor. He kindly did and Mini-Compressor installed just fine and I thought nothing more of it.
A couple months later I received another complaint. This one was a bit more severe with Norton not letting Mini-Compressor be installed and saying it’s a very suspicious program. I was unable to convince her to disable Norton, and I don’t blame her once I saw the errors Norton was generating.
I don’t own Norton so I bit the bullet and bought a copy, installed it on a virtual machine, and downloaded Mini-Compressor and got the following error:
Then the Norton Sonar kicked in and a scary red box appears in the bottom right that said Mini-Compressor was a bad program and should not be trusted. It then deleted the Mini-Compressor installer and popped-up the following dialog:
Obviously this is not good. So I did some digging and found the Symantec has a site where you can submit false positives and found this site. It asks for some basic information and a link to download the software. This was a bit of pain since we don’t have a trail version I setup a temporary link for them that was valid for 24 hours.
Unfortunately it was Saturday when I did this and Norton didn’t look at my submission till Monday and the link had expired. They sent me an e-mail saying so and asked me to send them a new link, or better yet, upload the actual files. Why they didn’t include the upload link in the first e-mail I’m not sure but I uploaded both the 32 and 64 bit installers of Mini-Compressor. Two days later they e-mailed to say:
“In light of further investigation and analysis Symantec is happy to remove this detection from within its products.”
I updated my copy of Norton and tried to install Mini-Compressor. This time I don’t get any warnings and Norton Sonar popped up a friendly green box in the bottom right corner. Thanks to Norton for quickly fixing the problem.
Some final notes:
- If you simply download Mini-Compressor and ran standard Norton scan, e.g. by right-clicking on the installer, no errors are reported.
- Part of the Norton false positive submission process is to generate a hash of the installer. They suggested using Virus Total website. This website will not only create a hash but will also run a bunch of virus scanners, including Norton. It then catalogs the results including the results for the 32-bit and 64-bit versions of Mini-Compressor.
- I need to get a code signing certificate. It’s been on my list of things to do for a while but now it got bumped up a bit. I think I’ll also try to get Mini-Compressor Windows 7 Certified which I’m sure will require it to signed.