Symantec creates havoc with unsigned Norton patch

Symantec released a diagnostic patch for some of its older Norton products on Monday night that did not identify its origin and thus triggered alerts on user firewalls, the company said Tuesday.

The patch for 2006 and 2007 versions of Norton Internet Security and Norton Antivirus, a program dubbed "PFST.exe," (Product Information Framework Trouble Shooter) was distributed to collect anonymous statistics on matters such as how many computers are using the products and what operating system they are running, Jeff Kyle, group product manager for Symantec consumer products, said Tuesday.

Because it was unsigned--a result of human error--firewalls started prompting users with messages asking them if they trust the patch, Kyle said. Of course, because the patch had no signature indicating it was from Symantec, users didn't know whether to trust it and many of them went to the Norton user forum for answers.

The company pulled the patch after three hours and then unwittingly laid the groundwork for conspiracy theorists after it started deleting forum posts related to the matter. The company was not censoring the posts, but fighting off a spam attack, according to Kyle.

"At the same time we were pulling down the patch a spammer created a new account on our forum and minutes after that there were 200 new users all targeting the same thread," he said. "Within the first hour there were like 600 posts to that thread. Obviously it was a bot creating this."

The posts were written with poor grammar and broken English and some were vulgar and nonsensical. It is possible, though, that Symantec could have inadvertently deleted some legitimate posts while it was purging the spam, Kyle said.

"There is no conspiracy theory. There's nothing we are hiding at all," Kyle added.

Meanwhile, Kyle said he isn't sure whether or when Symantec will redistribute the patch, but if they do, he said, it will be signed.

Symantec has more information on its message board site. The Washington Post reported that hackers were exploiting the situation and had managed to get malicious Web sites into top Google search results for "pifts.exe."

Updated 2:45 p.m. PDT with link to forum site and explanation, Washington Post reporting that hackers created malicious related sites that appear in Google search.

[Mr. Dee]

I don't use there retail products, Symantec EndPoint all the way, works really great.

[roland827]

Ever since they have been churning out bloated Norton Products, I've avoided everything Symantec... Even in some apps like Adobe Flash, they piggyback themselves as Norton Security Scan, defaulting the checkbox, forcing their install to unwary people who just want to play Flash movies or games... unknowingly installing another "antivirus tool" even though they already have one....

Removing the Norton Security Scan would sometimes be impossible unless you download a utility from Symantec's site!!! They're slowly becoming the evil that they are suppose to get rid off!

If you do a search on Norton Security Scan, you will find lots of people asking why it showed up on their desktops without their knowledge and how to uninstall...

[HardwareGeeks]

Roland, try their 2009 product line. Installs in less than a minute, uses less resources than AVG or AVast from my experience and uninstalls quickly as well.

[TheReaperD]

@HardwareGeeks: With all due respect... NO! After Symantec's record of buying companies and running them into the ground with shoddy, badly written programs, horrible out-sourced support and overpriced products, I refuse to give them another dollar of my money. And with how insidious their recent releases of security products have been, requiring removal with third party tools to have any hope of completely removing them from your computer, I refuse to even install a test version of their software, assuming they offer one.

I'm sorry but they have screwed up too badly. They have damaged my trust beyond repair. I refuse to let any Symantec product anywhere near my computers again.

[wiredmonkey]

"The company was not censoring the posts, but fighting off a spam attack, according to Kyle. "
"It is possible, though, that Symantec could have inadvertently deleted some legitimate posts while it was purging the spam, Kyle said."

That's a load of crap. They were deleting legit posts on the issue long before the spamming started. Tech support wasn't doing anything to help either.

[Angmarr]

this is why you should use AVAST!!!

Had no Problems so far ... and AVG has issues ... so avast all the way!
http://download.cnet.com/Avast-Home-Edition/3000-2239_4-10019223.html?tag=mncol;pop

[thenet411]

Symantec just sealed their fate. The blatant LIE that is "The company was not censoring the posts, but fighting off a spam attack, according to Kyle." much, much more damaging than the screw up on their part. Has history taught them nothing? Lieing about a screw up after the fact is a one way ticket to the digital scrap heap. See ya, Symantec.

[elllroy]

it amazes every day that a whole billion dollar business has been created on the flaws of one single product. how people and especially businesses can use windows is beyond me. the are losing millions of dollars every day on worms and viruses and on top they have to be paying theses guys to get at least some kind of protection. amazing.

mac os x: 8 years and counting, zero viruses.

life is short, get a mac!

[thenet411]

Your comment is as retarded as your facts. There have been a number of viruses written for the Mac platform. In fact, the very first virus on record was for an Apple computer. NO platform is safe from viruses. It just so happens that Macs have so little market share that it is a simple matter of economics. More targets really does equal more success.

Having said that, Symantec never really figured out how to make software. Every single product they have ever produced themselves has been a bloated POS. Their programmers never had any concept of memory or resource management. I used to use their corporate AV package in large networks but Endpoint put an "endpoint" to that practice. Products like Backup Exec or Ghost began life as excellent pieces of software until Symantec got a hold of them and destroyed them with bloat and handicaps. Very sad really. I hope to see Symantec die very soon.

[Jelly Baby]

I suspect the virus writers think you have enough of a problem already....

[elllroy]

@ thenet411

there are NO, i repeat it NO, ZERO viruses for Mac OS X. there have been viruses for the Mac. But that has been with the old Mac OS 7.x/8.x. that system was replaced with a modern, unix-system called Mac OS X eight years ago. since then no viruses. and don't you think there should be at least some it not at least ONE virus for Mac OS X, even though it has that little marketshare? imagine the press coverage alone for the first to write the FIRST virus for the mac-plattform. well, nothing. eight years and waiting.

oh, and thank you for calling me retarded, you seem to be a really nice guy.

[SeizeCTRL]

So why does it call home to a server in Africa? Why were they deleting EVERY post on their forms that mentioned it? No one in tech support could answer any questions about it and their only solution was for them to connect remotely to your computer to investigate.

It was VERY fishy how the handled this. I will be dropping Symantec AV Corp / Endpoint this June. I have no intentions of renewing with them now.

[SeizeCTRL]

LMAO - there was no bot. It was a group effort from 4chan and other sites! The Washington Post and Symantec apparently are idiots. This was all over 4chan, AboveTopSecret, ZoneAlarm and many other forums calling for an assault on the Norton forums for answers.

When Norton/Symantec began deleting every instance of the word pifts, that only added fuel to the fire that this was a cover up, and therefor more people got on board to post and troll until they eventually shut their boards down.

The other Google connection is that pifts seems to look to see if you have anything from Google installed in program files... as well as looking at a ton of other DLLs.

[gggg sssss]

@LMAO that is really disturbing and a complete breach of trust. If you are right Symantec is unauthorizedly accessing your computer - as badly as any trojan or rootkit. It is none of their business anonymous or not. And if they claim that it is in the EULA, then that is even worse.

I am about to resign for a year of coprprate AV. Need to get the Symantec droid's answer on this first

[Jelly Baby]

Why oh why would anyone let any Symantec product anywhere near their PC?

Come back Peter.......

[luc_vdv]

What I find more disturbing than the fact that someone forgot to sign the file, is WHAT the patch was supposed to do. That's pure spyware, not a "trouble shooter" for your AV protection.

Even more disturbing: I refuse to believe that the information it was allegedly collecting isn't something they already receive every time a computer connects to check for updates.
To me, it smells more like smuggling in something to hunt for illegal copies, somewhat like Microsoft's Genuine Advantage "tool".

And if the statement about its purpose was a lie, guess how much you can believe if the word "anonymous". Where did it phone home to - Africa, someone said? Could that be somewhere where privacy laws don't count for much?

[Sausagebiscuit]

I believe, that it is actually "PIFTS.exe" according to 'teh intarwebz'.

http://en.wikipedia.org/wiki/PIFTS.exe

[yetijones]

Absolutely incorrect information from them! Dozens of legitimate questions about this unsigned update were deleted within minutes from Norton's forums, mine included. They even banned other users' accounts after further attempts to understand what was going on. The spamming started roughly three hours after the initial questions (questions at about 4:30, spamming at about 7:30). Norton failed to respond to calls in a sensible fashion, constantly redirecting PAYING customers back and forth in a menagerie of phone calls, until frustration broke everyone's patience. The real craziness ensued when Norton finally RE-OPENED their forums for public use and then they received nearly 37,000 posts, last time I checked anyways.