Symantec Denies Using Rootkit In Software - InformationWeek
03:45 PM

Symantec Denies Using Rootkit In Software

Symantec disputes the claim by researchers who said it was using a rootkit to hide files from users.

Symantec on Thursday disputed the claim by researchers who said it was using a rootkit to hide files from users.

The fracas stems from a long-standing practice in Symantec's Norton SystemWorks suite to cloak a special directory. The SystemWorks feature -- which harks back to SystemWorks' predecessor, Norton Utilities, a popular utility collection of the early- and mid-1990s -- is dubbed "Norton Protected Recycle Bin" and provides a way for users to retrieve files dropped into the regular Windows Recycle Bin.

Researchers from Helsinki-based F-Secure as well as Mark Russinovich of Sysinternals (and Sony rootkit fame) discovered that the invisible NProtect directory could be a hiding place for malware.

Symantec acknowledged as much in a security advisory published on its Web site this week. "Files in the directory might not be scanned during scheduled or manual virus scans," the alert read. "This could potentially provide a location for an attacker to hide a malicious file on a computer."

The Cupertino, Calif.-based security company pushed out a fix via its LiveUpdate service to SystemWorks 2005 and 2006 customers that same day. The update unveils the NProtect directory to Windows.

"The folder was hidden because when the feature was created, hiding the files made sure users weren't confused," said Vincent Weafer, the senior director of Symantec's security response group. The fear then, he added, was that users might accidentally delete the protected files if they came across them in Explorer.

"It was designed for a different era," Weafer said. "With threats increasingly resorting to stealth, we decided it's a greater risk to hide the directory than to open it."

Now that the directory is visible to Windows, on-demand anti-virus scans, including those by Symantec's own Norton Anti-Virus line, can look inside the folder to sniff through files. Previously, the only protection was provided by anti-virus on-access scanners which scan files as they hit the machine's memory.

What really griped Symantec, though, wasn't the necessary change to SystemWorks, but the "rootkit" label some, including Russinovich, have slapped on the technique of hiding the NProtect directory.

"It's a hidden folder, not a rootkit," said Weafer. "Mark has a very broad definition of rootkit. This is not a rootkit. Rootkits completely lack notification when they're installed, they can't be uninstalled -- while this feature can be uninstalled at any time -- and they cloak a broad range of content. This hides just one directory."

F-Secure, which originally brought the matter up with Symantec, seemingly agreed…to a point.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll