RealTime IT News

Symantec Gets to Root of Rootkit Controversy

Symantec, a leading provider of antivirus and computer security products, said it has addressed a controversy over whether its own software provided a hiding place for Trojans and other security breaches.

The problem relates to the protected recycle bin in Symantec's Norton SystemWorks program. "Basically, it stores deleted files in a hidden directory," Vincent Weafer, senior director of Symantec's security response group, told internetnews.com. "It's old technology designed for a different era, like Windows 95 and 98."

For example, Weafer said that theoretically a Trojan could be placed in the hidden directory unknown to the user and not be identified by some types of security scanning software.

Symantec has made a Web site with the patch available, and users of its Live Update feature will receive it automatically. "It's a simple, surgical fix that disables the hidden feature," said Weafer.

Symantec claims it has not heard of anyone being affected by the hidden directory, and Weafer said the danger of it being exploited is "pretty low." But, because there was a potential danger, a fix was issued.

"In general terms, most scanning software should see everything that's in there, but users should also have the ability to see what's in there directly so that's why we made this change," he said.

When the hidden directory issue recently surfaced, some press coverage compared it to the rootkit and digital rights management controversy Sony ignitedwith its music CDs. Sony recently recalled the CDs, which scanned customer PCs for music-ripping activities.

Weafer said there are broad interpretations of what a rootkit is, and, while he personally did not think Symantec's software qualified, he respects the reasoning of the people making that claim. Symantec has posted its own definition.

Symantec also addressed the issue in a statement, which said in part: "The Norton Protected Recycle Bin functions differently than a rootkit. For example, the Norton Protected Recycle Bin is detectable on a user’s machine, documented for customers, gives end users a choice as to whether to enable or disable the feature, and most all antivirus products will scan and detect any malicious code that could potentially be stored in it upon attempted execution."

Weafer said Symantec is working with industry groups to try and narrow the definition or scope of how the term rootkit is used. As for the hidden, or Nprotect directory, as Symantec calls it, the update and patch makes it visible inside the Windows Recycler directory.