Norton is not happy with rawgit

[mfeingold]

For some reason Norton Security Suite considers rawgit dangerous and tries to block it. Is this something you said?

[rgrove]

Unfortunately, there's not much I can do here without more specifics. Presumably Norton came across something served by RawGit that it thought was bad, so they overreacted and blocked the entire domain.

This has happened before with other "security" software and it's typically due to a single URL hosting something that looks like malware. I'd be happy to ban the offending URLs, but I can't until I know what specific URLs Norton objects to.

[joelself]

Since rawgit is just mirroring existing github content does that mean Norton blocks github too?

[rgrove]

Probably not. GitHub would most likely serve the offending file(s) as plain text, which Norton shouldn't consider harmful unless it's spectacularly stupid.

[mfeingold]

Unfortunately all I get from Norton in addition to DO NOT GO THERE in big red caps is that there are 2 threats associated with the rawgit.com - whatever it means. I could not find any additional details.

[rgrove]

It looks like Norton is freaking out about the two .rar files in this repo: https://github.com/ajmgh/lcpdfrdist

As far as I can tell, neither file actually contains anything malicious. Norton appears to use Trojan.Gen.2 as a generic placeholder name for anything it thinks might be dangerous. In this case I'm guessing it just sees the .rar extension and assumes the files are guilty until proven innocent.

I'd rather not ban innocent users' files just because Norton is awful, so I guess my recommendation is that nobody use Norton software. Sorry.

[mfeingold]

Well, I beg to disagree. I know what I am doing (at least sometimes, I hope), so I ignored the warning, but I use the rawgit to service the files of my demo. A chance that less informed visitors can be scared away makes me sad. So I would suggest to ban the files and if the author complains work with him and make him do whatever is needed to keep Norton happy. Besides Github is no place to keep your builds after all.

[jdalton]

I'd rather not ban innocent users' files just because Norton is awful, so I guess my recommendation is that nobody use Norton software. Sorry.

:+1:

[joelself]

My line of thinking is: "Who is at fault here?".

• rawgit isn't at fault, it's doing exactly what it is supposed to do. And what it's designed to do is not wrong or immoral in any way
• Is lcpdfrdist at fault? They're using rawgit in the exact way that's intended. While GitHub Releases are the new official way of distributing builds, GitHub doesn't expressly forbid version controlling your builds. They even have the Git Large File Storage (Git LFS) extension for dealing with large files, like builds, in your version controlled repository. I myself used to release my built dlls by pushing them to a build directory. I only switched to Releases because Appveyor can't seem to push to my repo after a build.
• Is Norton at fault? I'd say yes. They encounter 2 files on a domain that happen to end with the characters ".rar" and they blanket ban the whole domain without doing any due diligence to see if the "rar" files actually contain dangerous files. That is:
• Lazy
• Dumb
• Wrong
• A disservice to their customers

So given that Norton is at fault here I don't see why banning lcpdfrdist is the right thing to do.

[mfeingold]

I see your point, but respectfully, I do not think 'who is at fault' is the right question to ask here.

IMHO the right question would be 'what can I do to better serve my customers without killing myself in the process'.

Rawgit provides a very useful and very simple to use service. As stupid on the part of Norton as it is, if the only way to do it is to ban a few files which may or may not be important to a handful of people, I would say go for it.

An alternative would be to talk to Norton and convince them right their wrongs, but this is where killing yourself in the process becomes a danger :).

[rgrove]

@mfeingold Here's how I look at it:

Security software from Norton, McAfee, Avast, et al is 90% snake oil. I say this as someone who once worked for one of those companies on software like this.

All modern browsers already provide protection against known malicious websites. All modern consumer OSes, either through built-in virus scanners (in the case of Windows) or through sandboxing and auto-updating malware blacklists (in the case of OS X) offer malware protection. All modern consumer OSes have built-in software firewalls to protect against network intrusions.

There is very little reason, if any, these days to use additional security software like Norton's; it will simply make your computer slower and your experience worse. In some extreme—though increasingly common—cases, it can even introduce serious security issues that didn't previously exist.

By choosing to use Norton's software, you have opted into the experience their software provides. Unfortunately, their software provides a shitty experience. If you don't like the experience Norton provides, you can choose to stop using it or try to convince Norton to improve their software.

Your relationship with Norton is between you and Norton, not between RawGit and Norton. While I'd like to do what I can, when possible, to improve the experience for RawGit users who also choose to use bad security software, my willingness to help ends when it will result in a worse experience for a RawGit user who didn't do anything wrong and who didn't choose to use bad security software.

I'm sorry that I can't make everyone happy in this scenario, but in the same way that you're free to choose to use Norton's software, I'm free to choose not to support it (and you're free to choose not to use RawGit).

[mfeingold]

@rgrove usefulness or uselessness of the likes of Norton is besides the point here, as is my personal relationship with Norton. I can deal with Norton and the only reason I still have it installed is that I am lazy.

My concern is people out there in the wild who are hitting applications using rawgit - some of them without even realizing it. How many of them will be scared away?

Anyway this is just me and you are certainly entitled to your opinion. The last thing I would want is to turn this into something personal.

[rgrove]

Good news everyone! Norton has decided that RawGit is safe after all, and all it took was me doing nothing for several months.