What is going on with Norton's forum?

Discussion in 'other security issues & news' started by Ade 1, Mar 10, 2009.

Thread Status:
Not open for further replies.
  1. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    A bad week to be a Symantec PR Rep.... That's for sure ;)
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Any good PR rep would be jumping up and down screaming "Make a statement!"....and not that pathetic one at SANS.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,252
    Location:
    New England
  4. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,103
    Location:
    on my zx10-r
    so do we believe this or another load of bs??
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,252
    Location:
    New England
    There may be a chicken and the egg situation here regarding the deletion of posts.

    When I first checked that forum, right after Ade 1 started this thread here, there were 3 pages of PIFTS threads in that Norton forum section. That's about 100 threads. Counting replies, there must have been several hundred individual posts. They appeared to have been made by a small number of newly registered members. Many were nonsense... like 100 lines of "PIFTS rules!!" or similar.

    I don't know if they were deleting posts prior to those, but, all of those had to be deleted. It was nothing more than a massive spamming effort, filling pages of the forum with worthless posts. Any forum that gets attacked like that will delete all those posts.

    Now, as to the real PIFTS file issue, your guess is as good as mine.
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It sounds reasonable....now if they would have just spoke up SOONER, then perhaps the spams wouldn't have happened and it wouldn't be all over the internet. One post asking what it was, plus one answer, would have saved this whole mess from occuring, IMHO. So yes, Norton still needs to get over this "bad decisions" spell they have been going through as of late.
     
  7. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Seems fishy to me.
    Released a patch without signing and it connects to the net .... Hmmm...

    First of all, how can a patch at such a large corporation with millions of customer just get pushed without a signature ?? I can understand these things at smaller corps, but with the resource and customer base of Symantec I am sure they test the patch on atleast a couple of systems to check before sending it out. I don't work at a security firm, but in my company any patch going out is tested 3 times: by developer, by integration team and then a professional tester. So its hard for me to think, that something like this just went through.

    Second, why does the *patch* connect to the net ? The LiveUpdate component could have communicated success or failure. So it must have been reporting something else back to Norton. Something that LiveUpdate wasn't programmed to check.

    I can't tell if they are lying. But to me it appears, they are not telling the whole truth.
     
    Last edited: Mar 10, 2009
  8. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    436
    Location:
    The Netherlands
  9. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    I'm not sure what to make of it. It seems fishy.

    This, on top of the ASK/IAC issue, 'rogue support', moderators on the forum removing legitimate questions about PIFTS, then allowing their forum to be spammed, the PIFTS issue. And the 'ASK toolbar', in whatever form annoying customers - see posts elsewhere.

    Can they screw it up even more ?
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Use caution when googling PIFTS.exe. Search results are starting to include links to malware installs. One of the top five links currently leads to Malware Defender 2009...
     

    Attached Files:

  11. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    In the statement linked to by Low Water Mark and the Washington Post, Norton either sent this out in the past couple of days or today. I don't remember which.
    I removed NIS 2009 on the 6th of this month.
    I looked in the registry of my XP Pro after reading these posts and it was there.
    So it was sent out prior to the 6th.
    Somebody just is not playing it straight with the public.
    Hugger
     
  12. Zeena

    Zeena Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    409
    Location:
    UK
    Hi Hugger :)

    Did you read my post on page 1 of this thread?
    https://www.wilderssecurity.com/showthread.php?t=235642
    How!
    Even though I uninstalled NIS 09 a month ago... I still feel like it's trying to connect to my laptop :(

    I'd Said...
    Well I've Just Looked In My Diary!
    The day my laptop had problems starting up - I Had Noted... Large NIS 09 Update ??
    That was on the 4th of March.
    I had already uninstalled NIS 09 .. 3 weeks earlier :rolleyes:

    Somethin Spooky Goin On o_O
     
  13. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,103
    Location:
    on my zx10-r
    Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to hep determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.
    "We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.
    As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.
    "We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."
     
  14. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,979
    Location:
    Eastern PA, USA
    HAHAHA, LOL!

    Yeah, I should have screen captured TWO separate posts that I managed to see before they deleted them, about a 30 second lapse on each, that said (paraphrasing): "Can someone please let us know what's going on with this PIFTS.exe file?"

    WOW! Such abusive, threatening and spammacious words!

    :mad:

    I'm running NIS 2009 as primary protection on my family's six machines and will most likely continue to do so, at least for another 188 days. Mistakes happen and it's good they admitted to "human error" but it's really hard to stop laughing when someone does the Ralph Kramden "hah-muh-nuh, hah-muh-nuh, hah-muh-nuh" tap dance!
     
  15. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Top result leads to a fake blog with iframe which redirs to 84.16.243.169 which is hosting some nasties. Packed.tdss.f aka rogues such as av360 et al most likely.
     
  16. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    CCleaner killed Norton for me several times.

    Anyways, I don't see how so many users were affected. The patch was for Norton Internet Security and AntiVirus 2006 through 2007. ...

    I'm still confused about pifts accessing the net. Did Norton IS's firewall issue the warning? Or was it NAV + third-party firewall?
     
  17. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    :rolleyes: Got it.
    Not counting the massive worldwide response to what appears to be is in fact spyware by any definition, overloading of all malware analysis sites, responses froim any serious security companies, worldwide frontpage news cover...
    THEN
    Possibly hundreds of poor suckers getting taken to the malware sites courtesy of Google and fallout from that.

    WOT A COCKUP. :mad:

    At least a seminal lesson in how NOT to do things for any other Security concerns.

    I say again: Symantec has gone beserk
    That's three absolutely monumental egg-face, debacle moments in the last week.
    Who is running the show there ?
    Really, how damaging to anyone who cares
    Spin, spin, spin...

    One benefit, not intended by Symantec no doubt : mountains of free publicity for MBAM :D

    Now lets see what Symantec can come up with next o_O o_O
     
  18. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    I think Symantec's reply is filled with some truth, and some spin.

    It's easy to say, 'we shut the forum down because of the spammers..and see these screenshots', but the spamming might have gone on because legitimate questions were being removed.

    Anyway, the moderators should have posted a 'sticky' at the top of their forum to say, 'xyz file is safe, it is part of an update'.

    The moderators here know how to put these up.
     
  19. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,103
    Location:
    on my zx10-r
  20. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Ok, I may be dumb and not an expert. But I have some obvious questions regarding this statement by Dave Cole.

    How do they determine that a customer will upgrade to Win7 ? As both XP and Vista users will have direct upgrade path, both can/may upgrade to Win7. Even those who are running a Win7 beta partition ( for free now ) may not jump to Win7 when released.

    As per Symantec it seems, someone who may upgrade will have registry key HKEY_CURRENT_CONFIG\Software\Microsoft\windows\win7upgrade set to 1. :cautious:

    Plus if I remember correctly, LiveUpdate records your OS detail so that it can download the correct files/patch/updates for your OS. So why the need for PIFTS.exe ?
    Dave Cole has provided more questions that answer, IMO.
     
  21. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,103
    Location:
    on my zx10-r
    PIFTS.exe or Product Information Framework Troubleshooter

    This entry was created to answer the following key questions around PIFTS.exe:

    - What is PIFTS.exe?
    - What is the function of PIFTS.exe?
    - What information does PIFTS.exe collect?

    Norton security products contain a component called Product Information Framework (PIF), and a feature called LiveUpdate Notice (LUN).

    LUN is an in-product messaging mechanism that is used to notify customers when new product versions are available. The messaging is targeted to particular systems based on product version, operating system version, and product state, and this state is determined by the PIF component.

    For instance, LUN was used to notify users when a Vista compatible version of their product became available, and LUN will again be used to notify users when a Windows 7 compatible version of their product becomes available.

    LUN is fully integrated into 2008 and later products, but is a standalone component in 2006 and 2007 products. LUN became available after the 2006 and 2007 products shipped, and was added to the 2006 and 2007 products using LiveUpdate (LU).

    Symantec is aware of a problem affecting some 2006 and 2007 products where a subsequent PIF update did not successfully apply. The cause of this problem is currently under investigation, but the result is that these users may not receive appropriate LUN messaging.

    To assist with identifying the extent, and potential cause, of the problem, Symantec created an investigative executable that analyzes the Norton product state, and reports the details to Symantec. This information will help Symantec to identify and correct the problem with PIF, in time for the Windows 7 release.

    Product Information Framework Troubleshooter (PIFTS) executable details:

    File name: PIFTS.EXE
    File size: 102400 bytes
    MD5 hash: 91b564d825a3487ae5b5fafe57260810

    The PIFTS.EXE binary was released through LiveUpdate targeting 2006 and 2007 products. After downloading the LU package, LU executes PIFTS.EXE, and PIFTS.EXE collects product state information, and reports this information to Symantec.

    PIFTS.EXE does the following:

    - Determines what product is installed, NIS, NAV, N360, NCO, or NSW, by looking under the HKLM\Software\Symantec\InstalledApps registry key.
    - Determines the version of the installed product by looking at the file version information of a key product file.
    - Determines if PIF is installed by looking under the HKLM\Software\Symantec\InstalledApps registry key.
    - Determines the version of PIF by looking at the file version information of two key PIF files.
    - Determines if PIF is enabled, and what the PIF state is, by looking at the PIF registry under HKLM\Software\Symantec.
    - Determines the version of PIF that LiveUpdate believes is installed, by reading the LU catalog.
    - The collected information, as described above, is reported to a Symantec server, called stats.norton.com, using an HTTP GET request. This server is located at a Symantec datacenter located on the East Coast of the United States.

    No additional information is collected, no personal information is collected, and no system modifications are made.
     
  22. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
  23. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
  24. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    @Zeena re:
    https://www.wilderssecurity.com/showpost.php?p=1421356&postcount=37
    Possibly you are not alone ??
    There are a few posts here and there re previously uninstalled NIS/NAV apps seem to be 'waking up' with the PIFT thingy and updating some files or eeek phoning home & ? transmitting your info to Symantec re your 'uninstalled' status etc etc

    Heh: I suspect those posters are getting a few ..erm..sideways looks ;)
    Even posts relating to uninstalled OEM versions that seem to be activating somehow.

    Either I've got to get a thicker tin hat or ... there have been suggestions that the Symantec apps have not been fully uninstalled.
    ??
     
  25. CountryGuy

    CountryGuy Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    139
    Norton is notorious (particularly with older versions) for leaving things on the desktop - Especially LiveUpdate (gone in 2009). I'd get a copy of the Norton Removal Tool to make sure everything is gone.

    As for the current issue, I've read Symantec's response and official statement on what this app is. It makes sense to me (and jives with what SANS has said). They are running a diagnostic check and sending non-identifying information back to Symantec; I know of plenty of applications that do very similar things.

    Its fact that 4chan attacked their forums, so more than likely they did a full purge, which of course would have taken innocent requests for info with it.

    However, I do wish they would have been more upfront about its inclusion (just like the Ask.com search), and it should have been set up as an opt-in, which is standard for things that send information back.

    I don't think its a good thing how this went down, and I don't agree with these decisions... But I don't think I'm uninstalling now that I have all of the information. Based on reports about the Ask.com thing I was ready to uninstall, then when I found out it was optional and nothing was transmitted to Ask.com I was OK with it. Same here.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.