Symantec explains PIFTS and debunks conspiracy theories (Update)

by Steve Ragan - Mar 10 2009, 20:25

Earlier this morning there was a good bit of rumor circulating about PIFTS.exe and Symantec (Product Information Framework Trouble Shooter). As it turns out, the removal of posts on the Norton Community Forums and the alerts from Symantec products sent conspiracy theorists into overdrive, while at the same time frustrating legitimate customers.

Symantec explains PIFTS and debunks conspiracy theories.(IMG:Symantec)

Symantec spoke to The Tech Herald this afternoon and explained its side of the story. For now, you can remove the tinfoil hats. Big Brother, in this case, is not watching you. So what is PIFTS.exe and why was it blocked? According to Dave Cole, Senior Director of Product Management at Symantec, it's not all it's cracked up to be.PIFTS is: “Not nearly as exciting as it’s been made out to be. [It’s] a diagnostic patch that we put out for the older products,” he said. “We use it for things like determining product state and the advance of migration... like determining how many active customers there are on 2006 and 2007 products, which is who this issue affected. It was restricted to people who [use Symantec’s] 2006 or 2007 products, and who downloaded patch within a three hour period last night, [between] 4:30 – 7:40 PM PST.“What happened here with PIFTS was we simply forgot to sign it as being from Symantec as is the normal process, which is extremely rare. It was simply human error not to sign it before they put the update out. They pulled [the patch] pretty fast once the mistake was caught, but not before customers with older products got a hold of it, and started seeing the confusing messages from the Firewall,” Cole explained.PIFTS is not solely used for migration, Cole added, it does call back to Symantec with basic information about older products. The Firewall alerts were essentially saying, “Unsigned, unknown application here, what do you want to do with it?”When it comes to the censorship issue, Cole explained that Symantec's policy is not to delete. “If we see a negative comment about Symantec or Norton, as long as it is within the fair use policy, nothing offensive in it, they aren’t things we remove,” he said. “What happened is around the same time we were taking the patch off, a spammer got a hold of it and started spamming it. They created hundreds of new user accounts and [started] spamming the forum. The only reason we deleted these, was because they were not being used by the community, they were being used by a spammer.”The spammer was not a single person. Norton’s Community Forums were raided by 4Chan, from the online Anonymous community at 4chan.org. Once the raid from 4Chan started, anyone wanting legitimate information from the Norton Community Forums was out of luck. Cole said that, at one point, there were 200 new accounts created and they were used to create 600 replies to a thread in the Norton Community Forums. Acting to remove the Spam, Cole added that it is possible the legitimate accounts were caught in the crossfire, and he holds out hope that those posts can be restored.“We deleted everything that was offensive or Spam and so forth... Having said that, I don’t have a lot more details, we’re still in the process of getting more information and getting our post up with an explanation. My sense is that, all the PIFTS posts will be lost, but it would be great if we can restore the good ones. We’re still sorting thought that now.”For the record:PIFTS.exe is used as a tool by Symantec to help with migrations and provide statistical data on how many active users are utilising older version of various products. Symantec uses various tools for this; PIFTS is just one of them.The alerts were mostly on older products, since the Firewalls on them are not as advanced as the current Symantec versions. If they were, they would have known PIFTS was a trusted file. Because PIFTS.exe was unsigned, the Firewalls triggered alerts and asked for permission. This is what they are supposed to do, and the error is that someone forgot to sign the patch.The moderators on the forum, reacting to the wave of Spam, removed every comment related to PIFTS. This was perhaps the wrong thing for them to do, but it was a self preservation action, not one of censorship for the sake of a cover-up. Symantec is working on more information and will release that soon. (Update: Just minutes after this article went live, Symantec posted an official statement and opened a section of the forums for PIFTS-related topics. You can view that here.)On a related note, there are several sites showing up in Google taking advantage of the PIFTS issue. These sites are leading to Malware and rogue AV applications. If you are searching for related information, do not download any tools that will remove PIFTS, and there is no need for new AV tools such as XP AntiVirus 2009.

Comment on this Story

Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter

Comment on this Story

Note our older Talkback system is still running below. We hope to import existing comments into the new system shortly. Guest posting is still allowed, however, you can now login with any number of social network accounts.

Talkback

Add your comment (no registration required)

page: 1 2

AnonymousMar 10th, 2009 - 21:12:53

If it is a legitimate patch, then why:

1) The file itself is designed specifically to send usage history (In the form of Internet Explorer history files, Temporary Internet Files, and Google Desktop information) to 2 private servers: One owned by Microsoft and the other owned by a Washington-based corporation known as 'SwapDrive'. This in and of itself is a breach of our privacy and should be explained immediately.

2) An inconsistency I noticed with the .exe in question was the fact that it has a very curious amount of padding. Padding is often used in cracking and hacking to force an .exe file to match the expected size of the program. However, why would you need any kind of padding in an official .exe from Symantec? Also, there's a lot of nonsense strings in the file; anything from the days of the week to the alphabet. Which tells me you're using even MORE padding.

Report this comment

SteveR - TTHMar 10th, 2009 - 21:16:05

@Anon
SwapDrive = Symantec

As for the other, ask on their forum and see what they say. They haven't responded to questions about that which were sent over and posted to the forums before. Perhaps they were caught in the backlash and removed.

Report this comment

AV-userMar 10th, 2009 - 21:33:43

Symantec's explanation sounds reasonable. They have just holes in their programming standard, which created the problem in the first place, and poor information policy, which allowed the problem to become a large PR-fiasco.

However, not everybody will be as willing to accept Symantec's explanation. This PIFTS.exe is nasty piece of code. It can collect information and send it out, it can recode other programs and it has capacity to be reprogrammed remotely. You have to take Symantec's word that these capabilities were intended to the purpose Symantec is telling us. I believe Symantec, because the whole thing was so badly implemented that I cannot believe that the purpose was to build a spy platform for a sinister purpose.

Regards, 'A user who lost a lot of time in this farce'

Report this comment

anonymousMar 10th, 2009 - 21:57:35

Then why the takedowns at digg and google?

We have gone from denial mode to plausible deniability mode. Someone who actually knows how to handle situations like this and is aware of the Streisand effect has taken over. We won't get any more intel out of them trying to hide things and will have to dig in with what we have got.

Report this comment

m0r1artyMar 10th, 2009 - 22:55:42

It was noted across many reputable blogs and websites that PIFTS.EXE threads on Norton's forums were removed prior to the patch being pulled or the spam raid on their support forums.

It has even been suggested that the spam raid was incited by the lack of information about the PIFTS.exe file in the first instance.

Adding to the fact that the questions regarding the file were pulled that the file itself scans internet history, cookies and Google Desktop and sends what it finds to 2 servers in Washington (67.134.208.160/n/ being one of them), why DIGG, Google and Yahoo! Answers all altered their usual parsing of the information and you have enough smoke to start the pitchfork crew yelling and claiming conspiracy. NOt to mention that it appeared in 'newer' versions than this article claims.

A direct answer explaining what the file does would certainly restore my faith in the company - which in turn may help shape what information I give out to others regarding it's security usage.

Report this comment

cyberbianMar 11th, 2009 - 00:30:11

So 4Chan discovered Pifts in the 3 hour window of opportunity and spammed Symantec's message boards with messages referenceing it?

That is extremely hard to swallow.

Symantec would have been much better off saying someone made a bad judgement call and violated policy by deleting posts.

Are they such bad developers that a single message from a unique IP gets you banned during a flood from some other IP.

No matter how you spin this they are a candidate for the Electrolux big suction award.

Report this comment

AmbroseMar 11th, 2009 - 00:52:50

They actually expect us to believe this? They scapegoat anonymous, give a vague explanation of the program, and everyone buys it? I don't want my history files sent to anyone, especially not the giant corporation that agreed to cripple its own software to assist in the violation of our constitution. Symantec can go to hell.

Report this comment

ergebetMar 11th, 2009 - 02:24:59

It's true, posts were being deleted long before 4chon discovered it. So now anon takes the wrap and symantec walks home freely. What a load of crap.

Report this comment

Another simple user who lost a lot of timeMar 11th, 2009 - 04:03:39

I have been caught the previous night around 7:10pm PST in the melee and have been witnessing first hand how the drama was unfolding. Thus, I take Mr Cole's explanations of his company's handling to be grossly inadequate and deceitful. I have been witnessing myself how whole threads containing mostly legitimate posts by concerned Symantec users have been repeatedly wiped out. That was the only response from the Symantec to the problem that was causing concern possibly to thousands of their customers! Company's employees in charge were acting as if the PIFTS.EXE fiasco caused panic in their ranks.

Symantec's disgraceful handling of what could have been a non-event convinced me to uninstall all Norton-Symantec products from my computer.

Professor Mariusz Wodzicki
Department of Mathematics
University of California
Berkeley

Report this comment

MatMar 11th, 2009 - 12:03:51

Once again Symantec have chosen to not tell the entire truth of what happened on the forums.

There was a fairly long thread, with several dozen replies and thousands of views from customers enquiring why something Symantec had sent them was tripping off security alerts. This was several hours before the spamming started, this post was ignored by Symantec and then deleted, without one abusive, or spam post ever being made. The deletion of this thread was then queried and this thread too was deleted without explanation...

Unfortunately it snowballed from there, Symantec refused to comment and the only feedback customers who were legitimately querying this problem on the forums were getting was that their posts were deleted and they were banned.

Only after a few hours of this did Anonymous get involved. Symantec has consistently failed to mention that it was over 12 hours from the first alert and question to them making any form of statement.

This is atrocious customer service and the heavy handed way they dealt with queries only led to fan the flames of the conspiracy fire.

Symantec made a massive mistake and are doing everything they can to shift the blame from themselves.

I have lost trust in this company, I wonder how many other customers have now decided not to re-new their subscriptions due to this poor customer service.

Report this comment

page: 1 2

Add your comment (no registration required)

Security

Symantec explains PIFTS and debunks conspiracy theories (Update)

Comment on this Story

Talkback

Latest

Latest Articles on Monsters&Critics

In The Tech Herald

Site

The Fine Print