Friday, March 13, 2009

Symantec's Norton products

**** this is a long but important post***
Back in the olden days Symantec's Norton products was the standard and the best virus protection on the market. As time went on the programs produced were loaded with more pork than the stimulus bills. Most new computers now come with some form of Symantec or Mcafee products. I won't go into detail here, but the first thing I do is un-install these pieces of software. The reason ? They slow the system down greatly, and for the below reasons, I just don't trust them.

Yesterday (Mar. 11) Symantec may have started down the same road. Starting over night Monday into Tuesday morning users running firewall software reported something odd coming from Norton security products.
An unknown file called pifts.exe fired up from a nonexistent folder under Symantec LiveUpdate and attempted to connect to the Internet. Software firewalls, including Norton’s own, warned of this attempt and prompted users for permission for this access.
Researchers at ThreatExpert determined that the file was attempting to connect to a server in Africa belonging to Symantec.
Norton customers started posting questions about the activity on the Symantec Community forums but these missives were oddly deleted without response. As the evening wore on the deletions continued, until word started to spread to other sites like Slashdot and Digg.
Naturally at that point things became a three-ring circus and postings were deleted due to violations of the terms of service including profanity, sexual innuendo and spamming.
The Washington Post ran a story on the problem ( and quoted a senior product management director who stated the file was a “diagnostic patch” designed to determine how many users were switching to Windows 7 and need to be upgraded to newer version of Norton security products.
Symantec’s official statement is here:

In the official release it was stated that the “patch” was pushed out between 4:30 and 7:40 PM on March 9th and that abuse was detected on the Norton forums at 10:30 PM Monday and the posts were deleted. The firewall detection was caused by the failure to digitally “sign” the file.
It makes no statement about what the patch does, what data it collects or why its own firewall shows the path for the file includes a nonexistent (or invisible?) folder.
Nor does it address why early posts about the warning were removed without comment before the onslaught of abuse began almost three hours after the patch was stopped and users would have noticed the problem and asked about it.
It’s still early in this flap and information is sketchy but it sounds rather suspicious. Hidden folders suggest some sort of rootkit activity and the deletion of early legitimate questions posted to Norton’s forums smacks of cover-up.
If all is above-board and it’s just a survey of OS usage, why the subterfuge? Why sneak the information out without warning instead of just asking? I’m sure the EULA allows them to take your first born if they so choose so changing the rules in the middle of the game may be perfectly legal but it’s certainly worth questioning.
This whole fiasco has had unforeseen consequences as well. Malware writers, getting wind of the lack of information, posted websites keyed to pifts.exe and manipulated the sites to the top of Google’s searches. Of course the sites lacked any real information but they did pose a real threat by employing trickery in an attempt to get users to install their malware.
I’m sure this will play out over the next few days and we’ll find out what’s actually going on, most likely from security researchers studying the purpose of this file and what it is actually doing.
Even if it’s just an innocent “oopsie” by Symantec it’s still a black eye. Security firms aren’t supposed to say “Oops”.

I’ll keep you posted…
Kevin Mefford, Editor