Slashdot Mirror
Norton Users Worried By PIFTS.exe, Stonewalling By Symantec
An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"
An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?
Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.
has become self aware.
We are here to protect you. You can trust us.
It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.
Many default with the "Do not ask again" option checked, so once you click through...
(* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
"I searched this forum but did not see PIFTS.exe. Any idea what this is?" That's the sound a leaky firewall makes.
you could always use a system where you dont need norton.
How come you didn't mention the NSA's backdoor into NAV?
For shame, sir, for shame.
Sent from your iPad.
Let's begin the conspiracy theories:
Ping Internet For Time on Slashdot?
Don't worry about it. It's just the Privacy Invader From Team Symantec.
Possible
Information
For
Terrorist
Sleeper cells
Therefore...Norton* = Terrorist.
*the slashdot user "Em Emalb" does not seriously think Norton supports terrorism, in fact, if the pounding on his door is any indicator, neither does Nort...)&(^#%)*&#^ stoptazingmePeterNorton! OWWW! Sonofa...that thing stings bro.
Sent from your iPad.
Somebody boot up with a livecd, find this thar exe file, and post it up somewhere where we can tear it apart with "strings". ;)
I posted a link to this slashdot article in the norton forums and it had close to 500 views in the 4 minutes that it existed. owned.
Specialization is for insects. -Heinlein
Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.
The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.
Perhaps Norton thought they could send out a patch to clean it up before anyone found out?
P = Purposely
I = Introduced
F = File
T = Thieving
S = System
It's a clue for you to stop using a platform where you must run anti-virus software and to finally switch to something better and come to the 21 century of computing.
As the island of our knowledge grows, so does the shore of our ignorance.
I am dumbfounded that someone who reads slashdot is stupid enough to have the home version of Norton on their computer. It is a complete POS and offers similar benefits to dragging an anchor behind your car.
And it is not exactly doing a great job of catching viruses either: http://mtc.sri.com/live_data/av_rankings/
Humor from a Genetically Molested Mind
PIFTS = Personal Internet Firewall Tracking Service?
That sounds a little too much like "James Bond" to me, mr anonymous poster. I think we should wait until someone disassembles it and looks at what it's doing.
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.
If that's true, Symantec must be dumber than I thought if they provided a backdoor to a firewall that allows said firewall to warn the user.
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
Law of what country? Norton installs it even if you are outside USA? And what about other vendors? All US-based ones should have that backdoor?
How you can ever trust in windows security if even the security programs must have backdoors? How many time we should we wait till seeing malware taking advantage of all those backdoors to go around hidden from security programs?
Just switched from Norton to AVG this weekend. Pure coincidence. Honest. I had no advanced knowledge this was coming or anything. ;-)
Reason why there is hope for the future generation #364:
"I wish my grass was emo so it could cut itself."
The first one links to a blank page which will redirect in about 20 seconds to a malware site.
The second one is immediately flagged by Firefox as being a "Reported attack site".
This slashdot article is possibly a attack on the /. community.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)
Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.
Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.
My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.
throw new NoSignatureException();
Symantec, if you made a mistake, just admit it. Let people know and tell them about the issue, the controls you put into place to fix it and the mechanisms you enacted to ensure that it does not happen again. Mistakes happen, and people will understand, if you are honest and forthright. But, if you keep dodging the issue and there really was something there, you can rest assured it will come to light and then people really will be angry and question their trust. Do the right thing. Tell people what happened, right away!
Check out HoneyPoint, our tools for combatting the insider threat! http://www.microsolved.com/honeypoint/
and you'll see this at the bottom of your search list: Did you mean to search for: GIFTS.exe
Just relax and everything will be alright....
http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19903
Do really dense people warp space more than others?
I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.
the first rule of project mayhem is you do not ask questions
Tried to register at their forums with login 'pifts and got this:
Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...
I call shenanigans. This comment has all the earmarks of an urban legend. An anonymous post claiming to have insider knowledge from another anonymous post.
Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows. They wouldn't waste time with a commercial product that only some Windows users install. Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?
CIPAV is not something added willy-nilly into commercial applications. It's basically an extremely well designed rootkit that the FBI, etc. targets against specific users & computers by tricking users into installing it. (social engineering, etc.)
PIFTS is the sound of their market share with the excellent way they are treating their customers.
I know I would be removing this from my machines.
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.
Perhaps this is why pifts.exe is being bandied about. It's a perfect way to get people to get to sites that will infect them with a virus by using search engines to point the way.
Steve's Computer Service, Hobbs, NM
+1
Let's see someone who has this on their system de-compile it and report on their findings
Maybe Norton's anti-virus is so good that even THEY can't get a virus past it? ;)
If only this was open source software. We could look and see what it is and what it is doing. In the closed software model you only even know it exists because it screwed up and told you.
What sort of response are you talking about?
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431 unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)
Personal Information File Transfer System?
and you are his _____. I first heard of Norton in the 80s, and his tools were a trusted commodity, but this latest episode means the "suits" have taken over and you can never trust the suits.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
This slashdot article is possibly a attack on the /. community.
As if the Slashdot community ran Windows. Pifts :p
If this really is some kind of government backdoor, chances are symantec is wetting their pants right now. They're probably propagating an update at this very moment to delete all traces of PIFTS.exe and related files.
I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431: unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)
Looking around it is calling a web service at stats.norton.com such as: http://stats.norton.com/n/p?module=2667&product=NSW&version=2007.10.0.109&e=1.4.5.91&f=1.4.5.91&g=0&h=2&i=0&j=1.4.5.91"
You can get that they are running tomcat by feeding it garbage it can't parse...I've not tried anything nasty like SQL injection, but I'm sure someone will soon ;)
People still use Norton? Why on earth would anyone do that?
Mod this up guys! A lot of links seem to be redirects to malware sites containing FakeAV etc..
Don't just tell us about - report it! http://www.google.com/safebrowsing/report_badware/
Humor from a Genetically Molested Mind
For those of us who have systems with patient study data, this is a Big Fucking Deal. Luckily, we have firewalls involved, but still...
Please help metamoderate.
No it's not it's silently collecting stats. Check out: http://stats.norton.com/n/p?module=2667&product=NSW&version=200.10.0.109&e=1.4.5.91&f=1.4.5.91&g=0&h=2&i=0&j=1.4.5.91
Give it bad input, and you will see that it's just a Tomcat server that takes REST URIs.
Be warned, it looks like some scareware sites are trying to exploit the situation.
Check out the first couple of sites on the Google results: hillhaven.com.au and 2009031004.peziueued.xorg.pl. Both of those run classic scareware scams to get you to try and run and install something onto your machine.
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
"inside info from a friend that works there" is not a source any more than "I know a guy who knows a guy" is a source. I'm sure you could name this friend and tell us where he works. Oh, but wait, let me guess - *THEY* might get him, right?
I am scientifically inaccurate.
PIFTS.asm can be downloaded here: http://www.mytting-ikt.no/PIFTS.asm
Here's a dump of strings found in the pifts.exe on pastebin:
http://pastebin.com/m1e207a78
Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?
There is an effort underway here http://chrysler5thavenue.blogspot.com/ to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).
Here are the strings: http://pastebin.com/m1e207a78
Wow, you managed to uninstall Norton A/V in less than 48 hours????
Oh, yawners. People, please don't believe the troll and think for two seconds before posting angry rants about the gubmint. Much easier to get this sort of thing inserted at Redmond.
[FUCK BETA]
More information can be found at http://chrysler5thavenue.blogspot.com/2009/03/piftsexe.html. There's a lot interesting comments on there as well.
It seems that it sends data to http://stats.norton.com/n/p?module=xxxx where xxxx is an integer. http://stats.norton.com/n/ requests auth from a tomcat server, for "statistics" Just thought this was a bit odd. Perhaps they have a nice web interface to aid in their world takeover.
This is not a viral sig. Copy it at your peril.
I'm trying to open the Norton forums and it's taking a long time to open each page.
Law enforcement from where? A lot of us don't live in the USA, so they have no legal right to install bullshit like that on our computers... (not that I think they do anyhow without a warrant)
Check to see if Digg and Reddit are counting diggs and ummm reds? accurately. (I think they're not) Check to see if it makes the front page on any major site, then is quickly sidelined. Most importantly DO WHAT NERDS DO BEST and dissasemble this thing as soon as possible! You'll be looking to see what it's looking for and who and how it sends it.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Perfectly Innocent Firewall Testing System
Then they did exactly the "wrong" thing (from LE's point of view). By deleting the threads that ask about it, they just screamed to the world that it is malware, Norton knows it's malware, and Norton is under pressure to not remove it.
From the users' point of view, though, a half-assed coverup is good community service.
I know a guy who knows someone who dated the sister of someone at symantec, and lets just say, they're going to team up with Starbucks To Begin Sinister 'Phase Two' Of Operation
Well done... you've switched from the 2nd worst anti virus scanner, to possibly the WORST antivirus scanner. I just hope to God it isn't the free version which is worse than useless. AVG has the worst detection rate of any AV product.
Why don't people read reviews before buying software? I won't post any links to specific reviews, because someone will say I've cherry picked the source of the review, so just google it. I think you'll find that AVG (especially the free edition) usually comes LAST and things like NOD32 and Kapersky usually come out top (of these two, I personally prefer NOD32 as it seems to have an extremely low impact on system performance).
Strings is available from sysinternals. If you ask me, it's cute and funny when MS-Bashers put their foot in their mouths before doing any research to back up their snide comments.
Not saying that GP is not a hoax, but...
Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?
Because Microsoft probably has more money and lawyers to throw around than the FBI etc.? Antivirus companies are smaller and therefore probably easier to bully around.
As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.
Did /. just get social engineered?
(Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
Not saying it's true, but the most obvious reason I can think of would be so that law enforcement can write root kits that act like known viruses without Norton flagging them.
Rules of Conduct:
#1 - The DM is always right.
#2 - If the DM is wrong, see rule #1
Skynet has become self aware. Don't worry the robot Apocalypse will be along shortly.....possibly with Nazis riding dinosaurs.
Is people still seriously running anything Norton or Symantec in their computer as means of "protection"?
I thought it was common knowledge that their "programs" are complete and utter crap.
Ubuntu is an African word meaning 'I can't configure Debian'
Somebody traced the execution, and linked it here: http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/c0857t5 [reddit.com]
Got that from a reply in the first thread. I can not guarantee its accuracy though
It looks like it is opening the HD & MFT directly and sending data to the internet... which can not be adequately explained as part of the auto update process.
One smart programmer != one smart company.
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
take notice. The little part of the world, the weird little part of the world, that is slashdot! And this is my contribution.
I agree, shenanigans.
If anything, I'd guess this is probably software that verifies the integrity of the existing Norton installation during the update process. Hiding it like that would therefore be intended to outflank malware writers attempting to nerf or hijack Norton.
They can't compromise what they don't know is there. Hardly foolproof, of course, but probably, to Symantec's thinking, better than nothing. If some nasty worm gets out that compromises AV software (again) it would be something of a feather in their cap if Norton installs were able to un-fubar themselves.
And if it comes to light, oh, well.
In this scenario, Symantec's refusal to talk about it and zealous policing of their forums would be a snap reaction to hopefully keep the information from becoming too widespread. I imagine malware readers browse their forums.
Their code was buggy, and self-revealed. They took a gamble it wouldn't Streisand on them and lost.
when the last norton app i installed got full control of the computer OVER me back in 1990s, i swore not to let name 'norton' or 'symantec' anywhere near my computer again. i never regretted that decision. and i saw a number of friends suffer from not taking the same decision later on.
you get what you pay for. it seems that you paid for a rootkit from a bastardly company that doesnt 'reduce' itself to customers' level to inform them what their software is actually doing, and you got it. enjoy.
Read radical news here
I am protected.
I always second the NOD32 idea - easy to administer, you hardly notice it's there until it catches something. I guess you never know what your antivirus misses, but it always tests well and at least it's not making things worse!
AVAST all the way. Been using it for years, and had not one virus get through. AVG let in everything under the sun and never popped up once to say "Hey, you're getting OWND!!!!!"
AVAST antivirus... free to home users... use it... its better than nothing... and waaaay better than NOD32 or AVG...
Apparently, there's a disassembly out there already. I can't verify it's authenticity though.
Pay no heed to the rootkit behind the curtain!
Love, Symantec
I've read a lot of reviews (Gizmo freeware, for example) : http://www.techsupportalert.com/best-free-anti-virus-software.htm which don't support this view.
Kaspersky seems to not have won out too well recently too.
Can you post a link to back up your argument?
Conversion Rate Optimisation French / English consultant
I'll look at NOD32 then. I ditched AVG for Avast, but since I only use windows for gaming (one game, actually) it's far too annoying when that goddamn nag screen pops up nightly, ripping me out of guild wars to tell me that I can pay for the nag to go away and get extra email protection. *eyeroll*
I logged into my box as root, did a 'find / -name PIFTS.exe -exec ls -l {} \;' and got no results back, which means my Linux box apparently isn't vulnerable to whatever exploit that file makes possible.
I did similar from my 'nix partition for my 'doze partition which does have Symantec AV, but pifts / PIFTS etc don't exist. My guess is a lot of people got third-party rootkits, and they think Norton did it just because it's in Symantec's folder and polls Symantec. Could be an attempt to DDOS and smear Symantec. Of course Symantec isn't helping with the deletions. Given the time of day, it's probably Indian customer service managing the forum deletions, and overreacting.
I've submitted the file to ThreatExpert, and the report is available here: http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810
It appears as if this is a statistical reporting tool, given the URLs to which it calls home. All in all, it seems reasonably innocuous -- even if Symantec's response to it is unnecessarily heavy-handed.
The Freelance Wizard
But surely posting this on /. is a bit like putting another padlock on fort knocks as surely no one in here would even think of using Norton (Unless we are talking classic motor bikes obviously).
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
My bad... I'm thinking of Avira that I'm using. I'll look into Avast.
I blame lack of coffee... (Before anyone says it, I'm at work, thus not gaming, thus on linux, so I couldn't just look at the icon ;) )
Pretty funny stuff - check it out:
http://community.norton.com/norton/board?board.id=nis_feedback
I have a copy of PIFTS.exe now and am examining it.
Notes:
1) It is small
2) Internally it is a "patch tool" from patch "021809db"
3) The Operating System function calls it makes are generally non-threatening
4) It accesses the registry (Norton products) and does some kind of date based validation
My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.
It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.
I won't disagree that NOD32 is an excellent scanner... but AVG is certainly not "the worst". I don't know where you get your data from, but at http://www.av-comparatives.org/seiten/home.html (follow Comparatives, then On-demand to get to the chart) you can see that AVG got 94.3% detection. Avast was slightly better than that at 97.3%. NOD32, interestingly enough, got a 93.0% detection. I'm not saying AVG or Avast is better, but with that information you can't say it's "the worst" either.
I've had far better experiences with AVG and Avast on my machines, as well as my customer's computers, than McAfee (84.4%) or Trend, for example. I've only experienced 1 virus in the recent past (a rootkit, no less) that was not cleanable by AVG/Avast... had to do that manually. On that machine, the virus got in past McAfee... for what it's worth.
Anyway, so with the data above... what's your reference for saying that AVG is "the worst"?
Brilliant! Maybe next they can attack the linux.com community and get about the same results.
Avast! has no nag screen that pops you out of game, though it does have an irritating talking box that pops into the lower right corner to tell you when it updates the VDB or software... fortunately it just takes about 10 seconds and then you're done.
Try not to take me more seriously than I take myself.
You know there's a setting to make it check for full screen applications before popping up any notices right?
Also, if you register it, the nags go away. It does require you to give them an email address but I've never gotten any other mail from them.
Nothing to see here
Just waiting for Norton to pop up and say.... "Dear Honorable Sir or madam I am writing to you from Norton Nigerias headquarters. Please advise you have been awarded Nortons prize fund of one million thousand dollers please enter your account details below to receive funds in due course."
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows.
One thing I can think of is emulated systems where people run Windows software on non-Windows environments. I'm not sure how good it would actually be, but that would be my first thought as to why to go in to the security products.
If the environment is good enough to run a Windows products, it'll run the flaws most likely. Someone might have the bright idea of putting an AV in it.
People have done and been successful sometimes in doing crazier things.
The other thing is maybe the stuff in the security products is providing other features the stuff in the main OS isn't.
~~ Behold the flying cow with a rail gun! ~~
I've seen so many of the posts on the "Symantec sucks" theme. Okay, if it does, then what tools do you recommend in an established Windows shop where moving to open source is not currently an option (a manufacturing shop where the production machines were coded by their manufacturers to run only on Windows)?
I use irony whenever I can, but my shirts are still wrinkled...
I call shenanigans. This comment has all the earmarks of an urban legend. An anonymous post claiming to have insider knowledge from another anonymous post.
Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows. They wouldn't waste time with a commercial product that only some Windows users install. Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?
CIPAV is not something added willy-nilly into commercial applications. It's basically an extremely well designed rootkit that the FBI, etc. targets against specific users & computers by tricking users into installing it. (social engineering, etc.)
Built into the O/S?. Isn't that what the Window's NSAKEY (now KEY2) is for?
http://en.wikipedia.org/wiki/NSAKEY
[citation needed]
That's not what I'm reading in the reviews I googled, and yes I am paying attention to the source of those reviews, and being aware of possible shills.
If that is all, it sounds quite benign for going through the whole effort of hiding it so well.
You wouldn't believe how many computers I've had to do virus cleanups on, that were "protected" by AVG. I always replace it with Avast, and they never have any problems after that.
Serious? Seriousness is well above my pay grade.
Make a .job (scheduled command) to open your command prompt a minute from the time you create it. After it opens, crash explorer.exe and then restart it from the command prompt; you're now logged in as System. You should have access to that file. You can access everything as System. Does this work for you? Either that or boot a live CD and run 'strings' over the file... anything interesting there?
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
> Can you post a link to back up your argument?
Yes, but I won't for the reason I already said.
I HATE the fact that AVG incorporates something called LinkScanner which scans websites you've not even visited yet for potential threats. The side effects of this are that it messes up your web stats and causes fake 'clicks' on pay per click adverts! This practice should be illegal in my opinion. On one particular day, I noticed that AVG LinkScanner was causing 96% of the traffic to my webserver but I had no way of blocking it as it uses a standard user-agent string. AVG have apparently partially removed this feature now thankfully, but I still wouldn't touch their product with a barge-pole. The only thing in their favour, is that when I rang them up to tell them about the linkscanner problem, a human answered straight away and they seemed genuinely concerned and were quite proactive at trying to help me alleviate the symptoms on my webserver.
Someone also brought me a computer to fix which had 8 separate pieces of spyware and two viruses on it. The computer was running AVG Free Edition 8.0 and was fully up to date. With this experience, I don't need a review and pretty pictures to tell me AVG is shit thanks...
The Norton Forums are now offline.
http://skitch.com/ecrist/b8t5e/forum-maintenance
Seriously, given the history of government funded espionage by these countries, why would anyone trust a security software vendor from 1) China, 2) Russia, 3) Israel, 4) USA? Would you use a Linux distro made in North Korea?
Maybe Norton's anti-virus is so good that even THEY can't get a virus past it? ;)
You owe me one keyboard and monitor mine now has coffee all over it.
"The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." -Thomas Szasz
This is why we need additional mod options. I have points, but there's no option for "Interesting, if it's true" or "thanks for the info, but since there's no way to validate, caveat reader."
It's really easy to get bullshit modded up because of the number of people who say "I didn't know that, thanks". How many of the +4 so far are "+1 because it's true" vs. "It's news to me"?
Sorry I've got a cold which seems to turn my Google Fu to shit, but there is a little .dll you can change which will kill that pop up. Just Google "remove Avast home warnings" or some such (damn my fu is off today) and hopefully you'll find it. Does anyone here whose Fu is actually functional have the link to what I am talking about? It is a simple edit that gets rid of those stupid Avast messages, but damned if I can find it now. But if you seek so shall you find. Good luck.
ACs don't waste your time replying, your posts are never seen by me.
Two things:
A question Linux users do not have to care about.
Wow, they were using perforce. I'd say that rules out a virus ;-)
I dumped M$ operating systems years ago due to this same reason, among others. Many windoz programs are wired to "call home" with your personal data. Even the Windows OS phones home when you are not looking, or at least is designed to. I circumvent this by either locking my firewall or unplugging the cat5 connection when running windoz, and doing all my internet work from within Linux.
This programmed-in behavior might be benign, but I still don't trust the corporate mentality to design products this way.
Although Linux is not the silver bullet of perfect safety and security, it is light years ahead of the M$ software solution in this regard. I am not a complete Linux fanboy, but believe boycotting M$ is the right choice for those that believe that computing should equal freedom and not being pwned by the dark corporate overlords.
The Mac, BSD, Linux all offer an alternative to M$ lock-in. I run Debian Lenny as a GUI desktop full time, it's every bit as good as XP. Have also been working on a FreeBSD install, but after 3 weekends, still don't have a working desktop. It looks promising but a newbie would have given up after an hour.
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
http://pcdserver.shacknet.nu/Downloads/PIFTS.txt Is the dump of what happens when I disassemble it back to code. Has some interesting imports: +++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++ Number of Imported Modules = 8 (decimal) Import Module 001: KERNEL32.dll Import Module 002: USER32.dll Import Module 003: ADVAPI32.dll Import Module 004: ole32.dll Import Module 005: SHELL32.dll Import Module 006: OLEAUT32.dll Import Module 007: VERSION.dll Import Module 008: WININET.dll as well as some other interesting information, check it out maybe someone can tell me from this what its trying to do.
stonewallingjackson
ever try getting a response from the slashdot crew?
Ever had a thread deleted by the Slashdot crew?
Precisely.
-FL
Symantec Caught in Norton Rootkit Flap
"Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers..."
http://www.eweek.com/c/a/Security/Symantec-Caught-in-Norton-Rootkit-Flap/
more info from a friend -
it is from Hulu. it lets aliens track your computer and make sure you watch programming. thats how they roll
also - unicorns.
Could this be the precursor to Skynet taking over the internets and launching nukes everywhere?
Nod32 still borks the TCP stack by default, so I avoid that (what the hell it's even doing hooking into it is beyond me).
Avast is pretty good... you can switch the nag screen off.
semi-speculating here anonymously like a coward.
It's a program identification transfer service (cute name eh?), used to validate the program & edition settings, and transfers customer information that isn't currently covered by the scope of the EULA back to symnatec.
It's intended goal is to track pirated versions of norton products and fix an oopsie that occurred for quite a few years in the 90s-2008ish era, in particular the large outrise of corporate editions that kids are getting in university that have a lifetime free update-subscription package and shut them down.
Ping Time For Slashdot in Internets
Stupid Users who use
Stupid Software like
Symantec Products deserve
Stupid problems like
This one.
Why are people still using Norton for anything? It's *absolute* 'fascist-bullshit-bloated-doesn't-let-you-uninstall-or-exit-the-app-easy' software.
Why am I *not* surprised at all .
STOP USING THEIR SOFTWARE and shit like this...simply won't happen.
Also on Digg: http://digg.com/security/Tech_Fears_Arise_Over_Norton_and_Pifts_exe
Well thanks!
But now find me a free antivirus scanner I can legally use in a non-profit work environment that also has an active scanner?
AVG and Comodo are really the only two, and if you've tried Comodo's new nonsense (or tried to uninstall it), you'd realize its much worse than AVG as far as usability goes. I had to reinstall windows cause it borked it so bad.
1. Most reviews on the Internet are pure crap. Either they are shills, paid and/or unpaid, or they are lifted from and/or linked from other sites related to whatever site you happen to be on at the moment. Search for reviews, and you will find many that are verbatim the same. Either site ops snarf them from wherever to fluff their lame pages, or people mass post, pasting the same thing in over and over. Niiice. I know, there are reputable sources for reviews. At least until they get found out either taking favors for favorables, or being lazy and reviewing products a month before release.
2. I ditched Norton last year at home - all gone. The first time in at least 19 years, I think, that I haven't had a Norton product on at least one of my machines. AVG is doing at least as well, which is to say that if my wife didn't click on those IQ tests and 'vote now' links, my machines would be free of nasties. A pox on their souls.
Picking a review site is my least favorite task. Hate it.
Oh, and I use my Linux boxen to browse 'questionable' sites. Seems they don't get infected. Or, if I'm really scared, my phone. hehe, let them attack that. The G1 Steel browser doesn't seem to get infected either if I set the agent to 'Desktop'. harrr.....
deleting the extra space after periods so i can stay relevant, yeah.
Great to see that at least one blog I emailed last night picked up on this bullshit. Pretty much everyone else has beat me to the punch as far as what it does. Good job to everyone else.
Disable the HTTP scanning module (which is recommended anyway on webservers). I think it hooks into the TCP stack it so it can scan things which will never be written to disk as they enter your PC - eg javascript files used by webpages etc. You don't really need that module for it to work effectively though.
FUD at it's best! This is what you get when your primary news source is 4chan.
The file is rather obviously (look at the strings/modules) a small update to the Symantec PIF Alert Engine. See PIFSvc.exe and PifEng.dll (which have been there for a while) for more information. From what I can tell, and I'm not a Symantec user, this is the part of the LiveUpdate componant, even if it wasn't binary analysis shows nothing untoward.
The real WTF is why are Norton deleting supports requests en-masse rather than simply sending out a press release.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Seemed like Symantec was one of the better AV/Security developers for windows for a long time, but recently - within the last 6 months or so - they seem to have just tanked in terms of credibility.
First it was them getting rid of customer services and now it's ignoring virii and security vulnerabilities.
Fun times.
Ave Molech Setting
Thanks for your reply.
As I think you know, one single solution isn't going to cut it. Probably it's best to trial web scans, other products and specificially targetted spyware / trojan detectors alongside specific products, and to watch the market carefully.
You also can't tell (unless of course you ran a full scan with AVG) whether the user proactively scanned using the product, or just failed to understand that on-access scanning is one link in the chain of security.
As for link scanner, I totally agree. An utter crock of shit.
Conversion Rate Optimisation French / English consultant
I fucking just LOVE it when people post "information" which is not backed up by any source or link or anything.
http://www.virusbtn.com/news/2008/09_02
Here are the latest results I could find. Note that AVG is NOT the worst by far. The free version only suffers in it's lack of detection for malware but the GP did not say the the free version was installed. Now Avira comes out smelling like a rose in these tests so of course they are recommended but AVG is also very good.
Actually, last time I installed AVG that was turned off by default.
/ yet another smug, uninfected Linux user.
I just hope to God it isn't the free version [....]Why don't people read reviews before buying software?
I think you answered your own question, there :P Of course it is the free version, which explains why the reviews wasn't important.
Anyway, how does one "hope to God"? I am not a religious man, but I though the procedure was to pray to God and then hope.
Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
Because detection rate is not the one and only criteria. The conversation was more about footprint on the system than how many things it is able to detect.
"But this one goes to 11!"
It's an expression, which occurs on over a million pages in Google. But you're right... I only used it because I've heard it so many times and I've never actually realised that it doesn't make sense :)
Avast! has no nag screen that pops you out of game, though it does have an irritating talking box that pops into the lower right corner to tell you when it updates the VDB or software... fortunately it just takes about 10 seconds and then you're done.
You can turn that off (program settings/update(basic)/details/silent).
they have nothing to hide.
Why are they hiding it?
As Already pointed out, this is a strategy the "bad guys" are using to distribute malware more effectively. They have managed to exploit Google's page rankings to elevate their malware distribution pages to the top results for currently popular search terms. I experienced this recently through one of my users -- they had searched Google for new regarding the asteroid that passed close to Earth recently.
The exploit sites seem to be harmless if your browser is even remotely secure. For example, a patched IE7 with FDCC configuration is OK until you click something, at which point you get prompted to run/save "install.exe" or whatever they are pushing.
I was scared to test IE7 with the default config. :-/
Firefox with NoScript turns their pages into very boring text with links that go nowhere.
The domain for these malware sites seems to be "*.xorg.pl"
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
How ? Everybody knows we don't RTFA.
Which is weird if true, because I am running the Corporate version from the University where I work, and I have not noticed the pifs.exe file on any of my machines yet. i assumed this was a non-corporate version problem only. So has anyone out there running the corp version noticed this file on their systems? I am running Symantec Antivirus Corporate ver 10.1.6.6000.
"But this one goes to 11!"
You don't have to pay for it; by "registering" it, he means to go to their web site and give them your e-mail address. I downloaded it, registered it (for free), and I haven't gotten any e-mails from them either. If you don't want to give them your e-mail address, just give them a mailinator address. The only "nag" screens I get are the ones that tell me that the virus database has been updated, and I could disable them if I wanted to.
So, what do you recommend as an alternative? Certainly Norton is poop, and Kaspersky's product makes my system slow as molasses. I sure hope I can get some Linux running on this system, and bypass the whole issue again.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Avast is the only AV software I know of with an interface shittier than the new one in AVG.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
When you use proprietary software, you don't really know what's happening on your system.
If somebody happened to notice a suspicious process on a Linux box, it'd have been the question of 15 minutes to figure out what package the file belongs to, get the source, take a look at it, and find out what it does and why is it there.
Instead what we have here a mess with some people coming up with conspiracy theories, Norton refusing to acknowledge the issue, and people trying to figure out what this thing does by looking at the output of strings without much success so far.
Things are much easier when source is available.
I did some reading on this, people are saying that the whois information for IP addresses it hits have been changed.
Bottom of page 12:
http://www.abovetopsecret.com/forum/thread444230/pg12
That would seem to indicate something serious...
Here's some pics of the 4chan raid that's going on over at Norton Forums:
http://i41.tinypic.com/2nvtmbn.jpg
http://i41.tinypic.com/20a78s6.jpg
http://i44.tinypic.com/o01g0m.jpg
If there's one thing 4chan hates, it's internet censorship.
When I first saw this here, the first place I looked for additional information was the Internet Storm Center, where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.
Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:
In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...
While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.
Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
IANAP (I am not a priest) but I would imagine one would "hope to God" by thinking/saying/communicating to God "Gee God, I really hope [fill in the blank] happens/doesn't happen."
DISCLAIMER: I am not a religions person by any means, and was just making an educated guess. Offer only good at participating stores. Limit one per customer. Your mileage may vary.
"But this one goes to 11!"
Pinging stats.norton.com resolves to IP 67.134.208.160.
$ whois 67.134.208.160
Qwest Communications Corporation QWEST-INET-11 (NET-67-128-0-0-1)
67.128.0.0 - 67.135.255.255
SwapDrive QWEST-IAD-SWAPDRIVE4 (NET-67-134-208-128-1)
67.134.208.128 - 67.134.208.255
# ARIN WHOIS database, last updated 2009-03-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
This doesn't really look like a legit business; it looks like some guy's house.
or 2
Pentagon Information File Transfer System
Pentagon Initial File Transfer Study
(Captcha: "detector")
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
I don't have a web site, so how is it going to mess up my web stats?
Illegal, because someone decided to use clicks as their measurement? Why not make a better technology that doesn't suck so bad, instead of legislating?
No press coverage? The FIRST time something happened in 15 years? I don't beleave nobody has been interested in being the first one just because few people use Linux. What about vanity?
Or what about MS looking forward to telling us 'Linux is not secure'?
There would be press coverage.
I used to recommend NOD32 but not anymore, given these tactics. Tried it and confirmed it for myself that they were doing this. I use Avast on my Windows box, and although it uses more resources than NOD32, it's not nearly so much more as to be a deal-breaker. And the actual level of protection seems to be about the same -- mind you, I make these observations after trying both on various computers over a period of three years.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
Just make sure that signature doesn't get added to the AV vendors lists. Much simpler than an out in the open executable. And if you want to build in a rootkit, it's much easier to build in a subtle root exploit (remember that single equals with obscure race conditions that was found in Linux a while back?).
[FUCK BETA]
Yes I heard it has gotten better over years but I still see computer after computer crippled by their bloated software. It wouldn't surprise me if it was a rootkit of some sort which was used in older versions of Systemworks.
I got rid of Norton after I saw such a huge hit I was taking on startup time and hard drive access time. If you check comparatives on anti-virus products you'll find many offer the same or better protection without the performance hit.
Personally I have been very happy with Nod32 by ESET. Its startup is slower on my personal vs. work machine and I had to have it exclude some areas for false positives but overall it has been very efficient.
"They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety" Franklin
Heh, I wouldn't trust them too much:
I say this, because someone on their forums has taken to impersonating me there, by registering as myself there (which is just going to make me go to their hosting provider and have them remove it, & if that fails, I will employ the local law enforcement in their area to do so - I've had to do this before to a Mr. Jeremy Reimer and Mr. Jay Little of arstechnica, who had their websites @ CrystalTech.com & petitiononline.com removed in their entirety or in large portions):
http://dis.4chan.org/read/prog/1235936964/1-40
I came across this impersonation of myself online (via cuts & pastes of my posts here) right after I posted about Windows VISTA, Server 2008, & Windows 7 removing port filtering and also making it impossible to use a 0 inside of a HOSTS file to block out bad IP addresses.
This "oddly" seems to have happened only after when I also caught one of your own here @ slashdot, "The End of Days" -> http://slashdot.org/comments.pl?sid=1147437&cid=27056793 admitting to using multiple registered accounts to "mod himself up" here and to use those same registered accounts to mod down others (ontop of his use of ac submissions as well to also make it appear he has further supporters).
Man, to the "The End of Days": I would be a bit worried now were I you, because now it's out of my hands @ this point, & you're the only person who might have any reason to do so. Now, I will just go to the hosting provider involved for that website to take care of it, & if I get resistance of any kind, I will prosecute you to the fullest extent of the law.
Next, it's law enforcement who will be contacted, for both libel & criminal impersonation (or whatever charges it carries - you only brought this on yourself).
APK
Norton Antivirus is asking users if they want to accept it.
So it's opt-in, what's your problem? You want vendors to explain what their program does? Use open source. Oh, and this is a security application. They can't possibly give people control over what runs on their computer, that wouldn't be secure.
I think it's pretty obvious that I meant it messes up the web stats of the websites you're visiting, not of your own websites. Which if you don't own any websites, you probably don't care. But you will care when you realise how slow it's making your Internet connection as it goes off and downloads the first page of every site that linked to from the page you're currently looking at, just in case you click it. That uses a LOT of extra bandwidth and seriously slows down your browsing experience.
And I have a friend that works there that claims that not to be true. He also claims that Santa Claus is the CEO of Symantec
See how easy it is to refute any information from "an anonymous friend of an anonymous friend", and also how easy it is to put ridiculous FUD in at the same time? Why should we believe you anymore than anyone should believe my post?
"But this one goes to 11!"
Exactly how many fucking many processes does Norton need to have running at one time???
/* No Comment */
Digg.com is also trying to bury this story. Stories referencing PIFTS.exe being deleted from search results. Source
Symantec Corporation
20330 Stevens Creek Blvd. Cupertino, CA 95014
tel +1 408 517 8000
fax +1 408 253 3968
Make their lines so busy they don't have a choice but to answer us.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I'd be pissed if the feds came knocking because my AV software 'clicked' on a link to kiddie porn, hate-speech, or some other UnRightThinking site.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Hmm, spend my time finding a review site I trust, or several sites which seem to agree (which to me is like the problem of the man with two watches - because they don't agree, he never knows what time it is)
/. collective by reading all the replies to my post.
... which I can confirm with a sample of 2 out of 2 machines being "clear" according to NAV, and infected and cured according to AVG.
OR
Harness the power of the
Granted, that doesn't always work - since not every post attracts a useful cross-section of opinions, but I now know what products I should go look at if I decide that AVG isn't cutting it.
It's definitely a step up from Norton in terms of detection rate
Reason why there is hope for the future generation #364:
"I wish my grass was emo so it could cut itself."
This has over 300 diggs and yet is blocked from the front page.
Deepak: PIFTS means Public Internet and File Tracking System So your grand fathers computer might be vulnerable to intrusions. Deepak: Yes you are correct. we need to check the Norton Settings on the computer and we do have a Virus removal team who can help in detecting that Intrusion manually and help in removing it completely. Deepak: If you wish I can transfer you to them right now and they will tell you how to remove it manually and then we can help in configuring the Norton Program Mr. T H: So it is a virus? Deepak: No it is not a Virus It is an Intrusion. Which tries to hack that computer Deepak: No Sir It is not related to Symantec
I actually had this pop up last night as well.
Funny thing is, I "uninstalled" Norton months ago.
That is refering to a free virus removal tool given out for free by Kaspersky. That's not even an active scanning engine.
/. hates it but I find the Enterprise version really good. I'd never run their current home version though.
Personally Kaspersky was one of the best I've ran. But currently I'm running McAfee, *gasp* I know, everyone one on
I'd be pissed also. Why they hell are they tracking where people click? Especially up to the point where you haven't yet bought anything from said site.
You'd only have use a zombie attack once to make that method of law enforcement invalid. New business model for botfarm owners -- hitting "bad" sites to disguise legitimate IPs.
Unix attacks are difficult because Unix has a security philosophy that no user program should be able to compromise the system. Any security hole is allowed to be closed. So any attack by default can be closed.
On the other hand, Microsoft has for decades required that security holes be kept open, such as the old MS-DOS requirement that applications be allowed to directly access the disk drives. Antivirus tools then had to wedge in exceptions to the required lack of security.
It will run just fine under WINE, it just takes a few adjustments in the configuration.
"But this one goes to 11!"
Groovy. That's a plus. :)
I'll check it out after work. Thanks to both of you. :)
Does it cache these pages it downloads? Because if it does, that would generally speed up my browsing experience. Instead of waiting for me to finish reading the current page and click on something from there, it's already loading it while I read? So every time I follow a link it's already in the cache and comes up instantly? Count me in!
If the masses can keep you down, you're not the Ubermensch.
By then, people might be running VM's within VM's to avoid this kind of ... stuff.
Or perhaps, there will be 5 different lightweight sandboxes like Plash, with each sandbox scanning for attempts to exploit known vulnerabilities of the other sandboxes (this wouldn't prevent some people from getting owned, but it would expose malware quicker).
Symantec has responded - see this article:
http://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html
Why don't people read reviews before buying software?
Well, if it's free there is no "buying"....
I won't post any links to specific reviews, because someone will say I've cherry picked the source of the review, so just google it.
Actually, I did just that recently. I found that among the free AV software AVG wasn't the best with the free version, but was still in the top 3 or 4 consistently.
I also noticed that the free versions of AVG, Avast, and a few others rated equal to or better than most paid solutions, although a few did beat them out.
All in all, in terms of AV capability, the free versions were all on par or better than the paid versions, which only tended to pull ahead because they include "Ad Blocker" and "Anti-Adware" type features.
As someone else said, post your citations because what the rest of us are finding contradicts your statements.
Explain that to people who have their laptops seized at the border and have been arrested for child porn for images that were in their browser's cache directory. The user may have never even seen those images if their browser decided to 'helpfully' preload linked pages and images for speed, or if a site dymanically loaded the image (web 2.0, I'm talking about you), or if their AV software did it.
Authoritarian measures 'for the children' always stomp on rationality.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Cant you just run an antivirus scan on PIFTS.exe to see if it is in fact a virus? I mean, Norton antivirus is already installed!
I've a little insight relevant to this situation you might like to know before you superglue your tinfoil hats on.
First, let me clearly state that I do not work for Symantec, I have worked for 'security' software for companies that will not be named. (This is my opinion, not theirs.) And no, I have not hacked the programs to identify exactly what that file does.
Root kit? You're dealing with powerful software that wants to be able to interrupt the actions of malware. As such, they tend to run in Ring 0, and hide certain parts of themselves so they can't be easily targeted by malware. The 'invisibility' to the user is just a side effect.
Why keep it secret? Very simply, the malware writers aren't all that talented (most, not all) and can't program their crap to disable what they don't know about. Yes, safety through secrecy. An old idea that is officially shunned by most modern security experts, but still widely used because it works when it's kept secret.
Forum Deletions? Yeah, that may be part of the trying to keep it secret, but somebody really screwed up there. Everybody should know by now that deleting posts will only piss off the users and cause an instant internet sensation, kind of like this, the exact opposite of what they probably wanted. Besides, deleting other peoples valid and non-offensive posts is rude.
Proper response? Kinda hard to second guess, but I would have suggested an honest yet vague answer.
"That file belongs to (software whatever), and I can not discuss it's functionality in this forum. The alert was unintentional and we are currently working to resolve that situation, please keep checking for updates."
No lies, all facts, nothing important given away to malware writers. Something like this would have made this entire event a non-issue, just another bump in evolving software. As to the update being worked on, yeah, that's a given. They are always working on updates, especially when something blows up in their face.
Oh yes, one more small thing. That file may keep disappearing because it may only have a transient existence. Some programs are only removed from archive and dropped on the drive under specific non-continuous situations, after which, they are deleted. One example of this is how some software does it's live updates. So just because the file isn't there when you go looking for it doesn't mean as much as some people seem to think...
Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows.
At which point your 3rd party firewall/AV software will kindly block outbound attempts & report a rootkit.
I'm not saying you're wrong about the shenanigans part, but your debunking logic is failing.
It is much more likely this is simply part of Norton's license-checking mechanism, and someone dropped the ball when packaging a recent update.
...one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself...
How is asking the user to "cancel or allow" taking care of itself? All they have done is let the helpless newborn of XP grow into a continuously wailing baby.
The file appears to be entirely non-malicious, and related to Norton's security product. It's build date of Thursday March 5th, suggests it has only just been created. PIFTS attempts to connect to a webserver (stats.norton.com), passing information such as installed product information, version number, and a series of other non-obvious parameters. Some of this information it extracts from the Windows registry. The file PIFTS.EXE is about 100k in size, so it would take some time to analyse in detail. However, we feel fairly comfortable in debunking the internet rumours claiming that PIFTS might be a rootkit or government-sponsored backdoor to spy on the masses. We think it's more likely that Symantec's programmers simply forgot to properly tag the file as having permissions to perform its functions. Indeed, a private communication from a Symantec employee reassured us that the problem was more likely to be an error by one of their staff than a sinister plot against its users. We understand that an official statement from Symantec will be available soon. Our guess is that PIFTS is some kind of feedback component designed to gather statistics about Symantec's products, or an auto-update component. If we find out any more we'll let you know.
Symantec has a post on their forums here explaining the situation. They claim that it was an erroneously unsigned update that caused the problem, and the erasure of forum posts was due to spamming of the forum.
You aren't supposed to use AVG Free in *any* work environment, even non-profit. Copy and paste from http://free.avg.com/download-avg-anti-virus-free-edition
Licensing details
* AVG Anti-Virus Free Edition is for private, non-commercial, single computer use only. The use of AVG Free within any organization or for commercial purposes is prohibited.
Redundancy is good And also good.
Says that the patch went out unsigned, then 200 user accounts were created in a short span of time spamming the boards about the update.
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
Norton sucks, nuff said.
Thanks for reminding me of such a good old meme.
google on chkrootkit
Here is the list that chkrootkit currently finds but be aware that these are not "self installing" like Windows malware. You need an unpatched vulnerability to install one of these rootkits. BTW I am an extreme Linux fan:
01. lrk3, lrk4, lrk5, lrk6 (and variants); 02. Solaris rootkit; 03. FreeBSD rootkit;
04. t0rn (and variants); 05. Ambient's Rootkit (ARK); 06. Ramen Worm;
07. rh[67]-shaper; 08. RSHA; 09. Romanian rootkit;
10. RK17; 11. Lion Worm; 12. Adore Worm;
13. LPD Worm; 14. kenny-rk; 15. Adore LKM;
16. ShitC Worm; 17. Omega Worm; 18. Wormkit Worm;
19. Maniac-RK; 20. dsc-rootkit; 21. Ducoci rootkit;
22. x.c Worm; 23. RST.b trojan; 24. duarawkz;
25. knark LKM; 26. Monkit; 27. Hidrootkit;
28. Bobkit; 29. Pizdakit; 30. t0rn v8.0;
31. Showtee; 32. Optickit; 33. T.R.K;
34. MithRa's Rootkit; 35. George; 36. SucKIT;
37. Scalper; 38. Slapper A, B, C and D; 39. OpenBSD rk v1;
40. Illogic rootkit; 41. SK rootkit. 42. sebek LKM;
43. Romanian rootkit; 44. LOC rootkit; 45. shv4 rootkit;
46. Aquatica rootkit; 47. ZK rootkit; 48. 55808.A Worm;
49. TC2 Worm; 50. Volc rootkit; 51. Gold2 rootkit;
52. Anonoying rootkit; 53. Shkit rootkit; 54. AjaKit rootkit;
55. zaRwT rootkit; 56. Madalin rootkit; 57. Fu rootkit;
58. Kenga3 rootkit; 59. ESRK rootkit; 60. rootedoor rootkit;
61. Enye LKM; 62. Lupper.Worm; 63. shv5;
4chan created a media craze out of nothing. This is all hype with little substance. In fact the majority of his statements don't even make sense. A good article on what this file is and debunking some of 4chan's comments can be found here:
http://www.bleepingcomputer.com/forums/topic210051.html
The good ole USA (and Australia, etc).
you had me at #!
I've created a VM to test this odd file.
It's running Vista Ultimate with only Firefox, Sysutils, WinRAR and Ethereal. Ethereal was capturing packets and Process Explorer was on while I opened PIFTS.exe, and here are some results;
Here's the Ethereal cap:
http://depositfiles.com/en/files/s8c2vc28l
http://www.badongo.com/file/13798737
http://www.zshare.net/download/5683930905ad4050/
And here's a Process Explorer dump in CSV:
http://depositfiles.com/en/files/2fjy817zw
http://www.zshare.net/download/568396534f56ccb8/
Furthermore, here are all strings from the file:
In 8-bit letters: http://pastebin.com/f6804af02
In 16-bit letters: http://pastebin.com/f3a358c9b
And finally, a hexdump of PIFTS.exe:
http://depositfiles.com/en/files/cehmf48ja
http://www.badongo.com/file/13799152
http://www.zshare.net/download/5684063249cec4d9/
Note that I haven't read all of these yet, but while skimming through the cap and the csv dump, I *was* able to see PIFTS trying to contact stats.symantec.com and accessing the registry. The specific files hold more info.
-Spidey
Damn them, giving me more work to do :(
I read their first sentence on the same page and figured that it meant it was ok for non-profits:
AVG Anti-Virus Free Edition is only available for single computer use for home and non commercial use.
Then besides Comodo, is there any free AV with an active scanner?
begin::apathy
/apathy
I'm sick of talking about this... who cares what it is? Potential Possibilities:
A). Malware--Another piece of malware on a windows system... who cares... they deserve it if they use windows (and by that I mean it's only a matter of time until they caught something else anyways)
B). Virus -- a yet unidentified virus etc. Once again, who cares, there are millions of these things out there.
C). Symantec Rootkit -- once again, who cares, people have got to be snorting something if you don't think feds have surveillance code in windows to start with... it's just one more group monitoring us; big deal.
Either way, I'm just tired of reading about it on all the websites I frequent and I'm looking forward to laughing about this later when someone does figure out which of the above it was (the solution to which also does not affect me).
The first post on the issue, made by a member identified as an employee, can be found here:
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119&jump=true
It is reproduced below for the lazy:
---
Hi everyone,
Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.
There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:
* O LAWD IM CHOKIN ON PIFTS PLZ HALP
* OH GOD YOU GOT CHOCOLATE IN MY PIFTS
* If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
* IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
* PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
* I LOVE MY PIFTS.EXE
Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.
Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. "Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them." When searching for information on "pifts.exe," Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.
Message Edited by davecole on 03-10-2009 12:45 PM
4
Kudos!
----
What I don't understand is that I got the PIFTS.EXE warning from McAfee, not Norton. I originally had an OEM Norton installation on my notebook PC, but immediately removed it, months ago, as our corporate standard is McAfee. But it seems that the removal was far from complete; on closer examination there's still a Norton process and service running, and apparently these triggered an update and the subsequent McAfee alert. So my question is, what is a Norton process doing on my computer, when I ran the default uninstall routine and it terminated normally?
Symantec has (finally) responded with a sticky on the forum from "davecole".
It's a statistical reporting tool that is normally included in patches, however due to an internal screwup, it was not signed. Because it was unsigned, the firewall looked at it quite skeptically.
They also attempt to explain their actions on the forum; from their description, it sounds like a typical Ebaums/YTMND raid. Their admin response was to carpet bomb the forums with bans and deletions indiscriminately. I don't think this is very professional of the admins; it reminds me of how Habbo responded back in the day. When you're the mouthpiece of a company that size, you should know that a overly aggressive response to a raid will do you more PR damage than just letting it go.
Legalize recreational marijuana. Seriously.
n/t
This is just another reason why the company I work for is going to ditch SAV. We're testing Vipre right now. So far their customer service and sales team are responsive, knowledgeable, and, oh snap, their product is very good at cleaning up malware and viruses.
You hear that, Symantec?
Ummm, hate to replay to myself, but how is this offtopic? he said he couldn't use Avast because you can't turn off the update messages, I said it IS possible, but I didn't have the link handy. Well here it is, just as I said, and for those that can't bother to click on a link the correct answer is-Right-click the Avast icon in the tray and select Program Settings. Then select Update (Basic) and uncheck the sliding box notifications and select Silent. You can also enter the time in minutes between update checks. I use 1440 (24 hours). So there you go.
ACs don't waste your time replying, your posts are never seen by me.
Or so they tell The Enquirer. Symantec update triggers firewall, many wounded Go fugure. :D
I have a black ban on installing anything from Synamtec (or Mcafee for that matter) on any computer that I own.
I use AVG for anti-virus and my router as a firewall.
Now if only I could find a way to stop windows from ever turning on the windows firewall.
You should have used -iname instead of -name.
On at least some mounts you would have found neither pifts.exe nor PIFTS.EXE
Some people multi-boot, so this is not as far fetched as it seems...
What the fuck are you talking about?
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Tut, tut
This "Norton" thing is a symbiont like the thing that chick in deep space 9 had (i.e. you take it away and it kills you?), but it was also hiding behind the grassy knoll some time near the early 1960's?
and big brother is trying to root our kit so we cant post about the aliens, err weather baloon, we weren't meant to see?
hmmmm.... glad i dont use that "windows" thing...
solution as posted i'm sure 30billion times already:
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
Avira is faster and better at catching virus.
For "uncleanable" infections, you should try a combination of IceSword and ComboFix.
Are you high? Talking out of your ass? Machines in China are constantly attacking my Linux servers and trying to upload virii.
The reason there are negligible virii on Unix/Linux is these operating systems were designed to be secure, networked, and multi-user. Microsoft's products are designed to extend their monopoly (in secret) and that is why they are so vulnerable.
I won't post anonymously. I am in the security field, and I have no current agreements with anyone which would preclude me from agreeing with the quote above.
In my opinion the quote above is not that far off base. It's not exactly a backdoor though, as federal law enforcement agencies do not need back doors to install ML or any number of other sprojans (spy trojans) on Windows machines. While I will absolutely not get into the specifics of how this dll works, I will say this:
Imagine a big honkin' SGI-O2-blue (the type of blue, not the type of machine) refrigerator in a rack, plugged directly into a core router on a big internet hub (or even a small one) and munching down every single packet it sees and analyzing them for routing and content. That's Carnivore.
Now imagine someone's brain beginning to work and realizing that really the most efficient way to see internet traffic is not to do deep-scans on the service provider side, but to instead do all that data harvesting locally on the physical node in question and sending the results periodically offshore (where all domestic spy material must stop first, by federal law) where they're combed through by any number of security people working for the man.
That second one is not Carnivore. It's a much, much more serious matter.
Interesting. A lot of those strings look like registry keys.
"I am an Adept of Tantric VAX."
This slashdot article is possibly a attack on the /. community.
Yeah, it would be logical to try and infect all these Linux users...
Wait, what?
See here:
http://slashdot.org/comments.pl?sid=1154933&threshold=-1&commentsort=0&mode=thread&pid=27137671
and more importantly here:
http://slashdot.org/comments.pl?sid=1147437&cid=27066233
Where "The End of Days" here was caught admitting first (in the 2nd URL) to having multiple registered accounts here (to mod himself up no doubt & to make it appear as if he has supporters of his posts, you know the type: Online losers basically that think they're "smart" until they get caught & have to admit it as he has)
APK
P.S.=> All the result of my tracking him here after he has harassed myself here on this site starting here -> http://tech.slashdot.org/comments.pl?sid=1143349&threshold=-1&commentsort=0&mode=thread&pid=27012231 in a post I made that's been modded up as +2 interesting & also over @ Microsoft where myself & a few others are confronting Microsoft on it, where they are ASKING people for improvements they'd like to see in Windows 7... apk
P I F T S... could it be...
Personal Information File Transfer Service ???
That does sound like the kind of name a programmer would come up with.
Well, that's the problem with windows: you need to install a lot of binaries from various third party sources to get your system into a usable state.
Apologies beforehand for the snideness, but that really teaches you to do things securely...
I love that the Google Adwords engine though to put an Ad for Symantec on the top of this page :)
"You love to go to the Planet-Arium"
Yeah, I had tried Combofix on this one virus, but it was entrenched into the safe-mode startup for windows as well... very weird. I couldn't get Combofix to let me at it, but it couldn't see the file (cloaking after activated, I imagine)... so I had to use a Linux boot disk to get at the file that way. Got it out finally, but it was a good one.
My story, as I fixed it, is posted here: http://www.spywareinfoforum.com/index.php?showtopic=120095&mode=threaded&pid=659165
Agreed - I found AVG to work well on lesser machines, and it was usually able to detect more than the outgoing virus checker (often McAfee), as it would always find things that shouldn't have been there (not just leftover reg keys either - exes and dlls). Of course, this is not something you can measure, so I can't show you documented proof anywhere about this... which is why I reference detection rate, as it's a metric (though, as I mentioned, it should be taken with a grain of salt.)
So, what better "review" can you point me to? Or, where is this review that says AVG is "the worst" Mr. OP?
The first rule of the Norton forums is that you don't talk about the PIFTS program.
Can you quote a source that is not the Reverend Sun Yung Moon?
Quotation:
Symantec released a diagnostic patch "PIFTS.exe"
(They admit that their liveupdate software deployed something which might not neccessarily have been written by them that targeted their software)
targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009.
This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time).
In a case of human error, the patch was released by Symantec "unsigned",
(Lol ^ funny )
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
They flat out tell us what it is and makes sense to me ,, though it is really bad judgement in my eyes
Awesome, I've been looking for that feature and just hadn't come across it. Thanks.
Try not to take me more seriously than I take myself.
Just to switch entirely to Linux or OS X?
you had me at #!
Hello everyone,
I'm one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn't happen again.
We launched the beta of the Norton Community Forums in April 2008. We've been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I'm not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.
We've spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We've also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123
Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or "cover up").
We welcome you to join in on the discussion if you have any concerns that need to be addressed.
Again, we're sorry for the mishap and all the confusion that this has caused.
Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com/
It appears that Symantec/Norton is up to their old tricks again
Censoring any person be it a paying customer or not, that asks them a viable question on their forums relating to one of their most recent blunders, the release of their Update V.16.5.0.134 & V.16.5.0.135.
As of this blog I have now been Banned from the Norton forums.
I will provide you all with my Original Thread Starter (questions) on the Norton forum that was directed toward Mr.Dave_Coleman Symantec Employee prior to him Deleting my thread, Editing It, re posting the Edited version back on the forums minutes later, then deleting another post that I had made In reply, there after forwarding on toward his PM & his Banning of me on the forum :
To Dave_Coleman Regarding The 16.5 Update
Chris1
Regular Contributor
Posts: 68
03-23-2009 06:02 PM
Chris1
Message 1 of 1
Viewed 1 time
This question is directed to Mr.Dave_Coleman, no one else need reply in this thread outside of him.
What is Symantec doing to rectify Error 8921,246 & Error 8921,301 that some users of your product are receiving?
Symantec you have paying customers that expect to receive what they pay for, that is a FULLY OPERATIONAL PRODUCT!
Above as you can view was my original post in the thread that I started on that forum.
A minute there after posting such, I find that my original thread was DELETED entirely, then miraculously reappears being Edited for Symantecs liking, by whom you ask, Dave_Coleman of course. This along with a follow up post by the Norton forums so called Guru cgoldman.
Re: Regarding The 16.5 Update
What is Symantec doing to rectify Error 8921,246 & Error 8921,301 that some users of your product are receiving?
Symantec you have paying customers that expect to receive what they pay for, that is a FULLY OPERATIONAL PRODUCT!
Message Edited by Dave_Coleman on 03-23-2009 06:24 PM
Next Norton forums Guru cgoldman appears out of the blue with a reply in my thread:
cgoldman Spyware Scolder*Guru
Spyware Scolder
Posts: 643
03-23-2009 06:33 PM
cgoldman
Message 2 of 2
Symantec are working with me to isolate causes of these errors. It requires a programme to be written which will acquire data from one or both of my two affected machines (the other 5 do not suffer this particular problem although 1 of the 5 is unable to update to 16.5).
Meanwhile, if you refer to any of the three threads that relate to these error msgs you will see that there is a new temporary workaround suggestion. This is somewhat easier to implement than the 1st workaround and applies where users have a router with a hardware firewall. The suggestion is that you retest having disabled the hardware firewall. Of course I quite understand if you do not wish to do so, and in that event you may of course await for any solution to be patched in due course.
I then re post as below :
WTF is going on here? My original Thread/Post and Its Title is being changed by Mr.Dave_Coleman with out him even aswering the questions that have been directed to him by me?
Furthermore cgoldman what part of the English vocabulary do you NOT understand? This thread that I started Including the questions that I have asked where directed at Mr.Dave_Coleman and NOT you!
cgoldman are you actually Mr.Dave_Coleman that is using a different nick on this forum or not?
Poof with in seconds the above post of mine in that thread is DELETED.
I then receive a PM. I veiw the Pm and It Is from guess who, Mr.Dave_Coleman.
It states :
16.5 Update
From: Symantec Employee Dave_Coleman
Date: 03-23-2009 06:31 PM
Hi Chris1,
There is no need to call anyone out by name on the forums. This is an open community forum and is available for anyone from Symantec to reply. If you wanted to message someone directly, please use the Private Message feature as I am using now. I have edited your post to remove my name from the message.
Unfortun