Symantec disputes the claim by researchers who said it was using a rootkit to hide files from users.
Symantec on Thursday disputed the claim by researchers who said it was using a rootkit to hide files from users.
The fracas stems from a long-standing practice in Symantec's Norton SystemWorks suite to cloak a special directory. The SystemWorks feature -- which harks back to SystemWorks' predecessor, Norton Utilities, a popular utility collection of the early- and mid-1990s -- is dubbed "Norton Protected Recycle Bin" and provides a way for users to retrieve files dropped into the regular Windows Recycle Bin.
Researchers from Helsinki-based F-Secure as well as Mark Russinovich of Sysinternals (and Sony rootkit fame) discovered that the invisible NProtect directory could be a hiding place for malware.
Symantec acknowledged as much in a security advisory published on its Web site this week. "Files in the directory might not be scanned during scheduled or manual virus scans," the alert read. "This could potentially provide a location for an attacker to hide a malicious file on a computer."
The Cupertino, Calif.-based security company pushed out a fix via its LiveUpdate service to SystemWorks 2005 and 2006 customers that same day. The update unveils the NProtect directory to Windows.
"The folder was hidden because when the feature was created, hiding the files made sure users weren't confused," said Vincent Weafer, the senior director of Symantec's security response group. The fear then, he added, was that users might accidentally delete the protected files if they came across them in Explorer.
"It was designed for a different era," Weafer said. "With threats increasingly resorting to stealth, we decided it's a greater risk to hide the directory than to open it."
Now that the directory is visible to Windows, on-demand anti-virus scans, including those by Symantec's own Norton Anti-Virus line, can look inside the folder to sniff through files. Previously, the only protection was provided by anti-virus on-access scanners which scan files as they hit the machine's memory.
What really griped Symantec, though, wasn't the necessary change to SystemWorks, but the "rootkit" label some, including Russinovich, have slapped on the technique of hiding the NProtect directory.
"It's a hidden folder, not a rootkit," said Weafer. "Mark has a very broad definition of rootkit. This is not a rootkit. Rootkits completely lack notification when they're installed, they can't be uninstalled -- while this feature can be uninstalled at any time -- and they cloak a broad range of content. This hides just one directory."
F-Secure, which originally brought the matter up with Symantec, seemingly agreed…to a point.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.