Symantec, Kaspersky Criticized for Cloaking Software

I found this to be interesting, considering how reticent Symantec was to add rootkit unhider abilities to the Norton family...

http://www.eweek.com/article2/0,1895,1910077,00.asp

While it's with Systemworks and not the standalone AV, I know many people who pay the small increase and buy the whole suite over just the AV. Against my recommendation, of course...

 

Re: Symantec caught using rootkits...

It's an old story, known issue really ... it's how they hide the deleted files from the recylce bin ... as an extra protection feature.

 

Re: Symantec caught using rootkits...

I think Steve Gibson also mentioned that KAV uses rootkits too (or that was at least the result shown by rootkit revealer).

 

Re: Symantec caught using rootkits...

No, it uses ADS (if you don't deselect it) which is a hidden Windows feature and has nothing to do with rootkits.

 

Hot off the press:
http://www.pcworld.com/resource/article/0,aid,124365,pg,1,RSS,RSS,00.asp

This is going to be an interesting debate. Mark's definition of rootkit is probably anything that tries to hide things from being seen in Windows. Both Symantec and Kaspersky of course did not like his choice of using the term rootkit as they feel that a 'rootkit' is something with a malicious intent. Don even tried to defend Kaspersky when I briefly mentioned it here:
https://www.wilderssecurity.com/showthread.php?t=115371

Symantec has released a patch while Kaspersky says its an option.

So I think the interesting question is what would you define as a rootkit? Should rootkit be only associated with stuff with 'malicious intent'? Or should it be used to ddescribe any 'hidden feature'?

 

Yeah but Norton also gives you the option to select which components of Norton you would like to install too. You could have easily unselected the revelant Norton component. Trouble is when user buy these products, they want the feature. A normal user isn't going to know whether Norton or KAV was going to use 'stealth' technology in certain component of their products. KAV's and Norton's installer did not put a warning saying that "This feature comes with stealth protection or rootkit etc." Should these companies have even used it to begin with.

 

Why on earth should they display a warning saying "This feature comes with stealth protection or rootkit etc." when no stealth protection or rootkit is used?

The alternate data streams that Kav uses to store info in has nothing to do with a rootkit, it is folders to store info.

I do agree they should have been better at informing users about this though, much FUD could have avoided.

 

Hi. I am a late arrival here.

Redirected from: https://www.wilderssecurity.com/showthread.php?t=115574

It seems that NProtect folder on my machine is not stealthed. So I suppose that earlier versions of the Protectect Recycle Bin are not affected as Symantec claims.

 

The official response from Kaspersky:http://www.kaspersky.com/news?id=177718126.

 

I have no doubts about the skills of Mr. Russinovich, but this time he is exaggerate the rootkit-issue.

He claims the technique used by Kaspersky Anti-Virus has to be consider equal to 'rootkit' technology.

IMHO an ridiculous and foolish statement.

 

Interesting article by Euguene Kaspersky. From the PCWorld's article, it seems that Kaspersky Labs has the ability to release a patch to uncloak the ADS data without affecting ADS according to their spokesperson.

However I felt Euguene may be jumping the gun, he quoted Mark saying the technology is not as dangerous as Sony's, and therefore is not a danger at all. I have seen a country's police advertisement warnining citizen's to be vigilant by telling them that "low crime does not mean no crime". To me it felt like Euguene's interpretation of Mark's statement was "low crime means no crime".

I think Mark is probably now trying to find a way to find a way to exploit the data. It may be possible, it may be not. Remember that not all softwares are hack-proof. Thats why I always urge people to upgrade to the latest security product as soon as possible.

 

Hi, Peter2150

Very true.

If anybody is that worried over ADS['s] all they have to do is use a FAT file system, in place of their NTFS file system.

Take Care,
TheQuest

 

It's not a patch, you have the option to remove them (ADS) when you uninstall Kav 5.0.

I can't see how you interpret it that way when there is no crime at all, the essence of his message to Kaspersky users alarmed by this silly use of the rootkit term for the NTFS Alternate Data Streams is this:

We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:

1. If a KAV product is active, the streams are hidden and no processes (including system) have access to them.

2. If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)

3. If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database - thus it will destroy the alien code/data.

 

I think the best way is for Kaspersky to release their version 6.0(which is actually pretty good) as soon as possible and encourage all their users to upgrade. Then you will give Mark less chance of criticising Kaspersky (he'd be mostly only able to criticise about business practice). Remember that this issue is not only security-related but also whether is it right for any piece of software to use cloaking technology without properly informing the user(was brought to me by jlobster who commented on Eugune's statement). When I installed KAV 5.0, I don't recall the installer telling users that ADS data will be stealthed. See those comments to the articlethat I read on Eugune's disary:
http://www.viruslist.com/en/weblog?discuss=177727537

Hopefully the KAV 6 launch won't get too delayed.

 

This does seem a bit rediculous. I can understand if NAV's hidden recycle bin poses a security threat, but the hidden recycle bin itself is nothing that they should be criticized for, it's doing what it advertises. As for KAV using ADS streams, that's no secret, and it's no malicious trick.. ADS streams are a known and documented feature. Anyone that has the inclination can find them for themselves, and disable the feature if desired. Mr. Russinovich (who I otherwise hold in the highest regard) isn't doing anyone any favors here, IMO.

 

Agree with notok

The Norton protected files can be deleted from within the program: Not hidden function for deleting. Just doing as advertised and possibly a useful feature for many users. Whether the NPfiles can be exploited??, that could represent a threat. Considering the numbres of NAV/NSW users an exploit would have fronted by now dont you think? (now this has been publicised there are certainly coders trying)

I am not familiar with KAV ADS feature. If it is a recognised useful component from a trusted vendor, what is the problem? If it can be disabled, WITP?

Reminds me of the recent WMF exploit: when Ilfak Gulianov provided his patch and Secunia asked us to "trust us" we were ready to believe.

Not withstanding possible exploits or personal likes/dislikes re software, do we have reason NOT to trust Norton or Kaspersky?

The word ROOTKIT is assuming strange malevolence. There are good and bad rootkit applications. Likely we will allow beneficial rootkits on our systems if provided by trusted vendors for specific purposes in the near future.

Selah.

 

F-Secure's view on "Cloaking without malicious intent":

here