Symantec disputes the claim by researchers who said it was using a rootkit to hide files from users.
Symantec on Thursday disputed the claim by researchers who said it was using a rootkit to hide files from users.
The fracas stems from a long-standing practice in Symantec's Norton SystemWorks suite to cloak a special directory. The SystemWorks feature -- which harks back to SystemWorks' predecessor, Norton Utilities, a popular utility collection of the early- and mid-1990s -- is dubbed "Norton Protected Recycle Bin" and provides a way for users to retrieve files dropped into the regular Windows Recycle Bin.
Researchers from Helsinki-based F-Secure as well as Mark Russinovich of Sysinternals (and Sony rootkit fame) discovered that the invisible NProtect directory could be a hiding place for malware.
Symantec acknowledged as much in a security advisory published on its Web site this week. "Files in the directory might not be scanned during scheduled or manual virus scans," the alert read. "This could potentially provide a location for an attacker to hide a malicious file on a computer."
The Cupertino, Calif.-based security company pushed out a fix via its LiveUpdate service to SystemWorks 2005 and 2006 customers that same day. The update unveils the NProtect directory to Windows.
"The folder was hidden because when the feature was created, hiding the files made sure users weren't confused," said Vincent Weafer, the senior director of Symantec's security response group. The fear then, he added, was that users might accidentally delete the protected files if they came across them in Explorer.
"It was designed for a different era," Weafer said. "With threats increasingly resorting to stealth, we decided it's a greater risk to hide the directory than to open it."
Now that the directory is visible to Windows, on-demand anti-virus scans, including those by Symantec's own Norton Anti-Virus line, can look inside the folder to sniff through files. Previously, the only protection was provided by anti-virus on-access scanners which scan files as they hit the machine's memory.
What really griped Symantec, though, wasn't the necessary change to SystemWorks, but the "rootkit" label some, including Russinovich, have slapped on the technique of hiding the NProtect directory.
"It's a hidden folder, not a rootkit," said Weafer. "Mark has a very broad definition of rootkit. This is not a rootkit. Rootkits completely lack notification when they're installed, they can't be uninstalled -- while this feature can be uninstalled at any time -- and they cloak a broad range of content. This hides just one directory."
F-Secure, which originally brought the matter up with Symantec, seemingly agreed…to a point.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.