Search code examples
vb6malwaresymantec

VB6 IDE removed by Symantec Endpoint due to 'WS.Reputation.1'

One person on my team found their VB6 IDE was no longer working. We eventually realized that the file VB6.EXE (from C:\Program Files (x86)\Microsoft Visual Studio\VB98) was missing and that this was because Symantec Endpoint Protection (14) had removed it due to WS.Reputation.1 (noted in Symantec logs).

I tried copying back the EXE from another PC and you could literally watch the file disappear from Explorer within a couple of seconds of being copied. Fail.

This only occurred on this single PC. Everyone here is using VB6 and has the same antivirus, so it is confounding why it happened only to a single person.

Could there be some factor unique to this one PC that caused this? If so (or if not...) how can we work around this?**

Other details:

  • New-ish PC, in use for about 2 weeks
  • VB6 had previously been working
  • Windows 10
  • Symantec Endpoint ver 14, corporate environment / centrally administered

Symantec's docs for WS.Reputation.1:

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

Solution

  • Report this false positive to Symantec to have it properly resolved:

    https://submit.symantec.com/false_positive/

    I submitted to Symantec and after 1-2 days I received the following reply:

    Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

    File name: VB6.EXE
MD5: 8AC4F5C29334B3C1B667B92EF860023A
SHA256: 971F73C9AC27EF3D50C1AC36D154674AB3A9957F967BFF6A62D5D18A75CFD910
Note: Whitelisting may take up to 24 hours to take effect via Live Update

    Since I assume this is a truly global change, perhaps if this works it will work for other people also. However as noted above they may be taking action only for this exact version of the VB6 executable. If other editions of VB6 or various service packs changed this EXE I'm not sure if this will have an effect or not.

    The info above pertains to VB6 with SP6 which is labelled "Version 9782" in Help > About.

    Note: this did appear to work.