Symantec Gets to Root of Rootkit Controversy

Symantec, a leading provider of antivirus and computer security
products, said it has addressed a controversy over whether its own software
provided a hiding place for Trojans and other security
breaches.

The problem relates to the protected recycle bin in Symantec’s Norton
SystemWorks program. “Basically, it stores deleted files in a hidden
directory,” Vincent Weafer, senior director of Symantec’s security response
group, told internetnews.com. “It’s old technology designed for a
different era, like Windows 95 and 98.”

For example, Weafer
said that theoretically a Trojan could be placed in the hidden directory
unknown to the user and not be identified by some types of security scanning software.

Symantec has made a Web site with the patch available, and users of its Live Update feature will receive it automatically. “It’s a simple, surgical fix that disables the
hidden feature,” said Weafer.

Symantec claims it has not heard of anyone being affected by the hidden
directory, and Weafer said the danger of it being exploited is “pretty low.”
But, because there was a potential danger, a fix was issued.

“In general terms, most scanning software should see everything that’s in
there, but users should also have the ability to see what’s in there
directly so that’s why we made this change,” he said.

When the hidden directory issue recently surfaced, some press coverage
compared it to the rootkit and digital rights management
controversy Sony
ignited
with its music CDs. Sony recently recalled the CDs, which scanned
customer PCs for music-ripping activities.

Weafer said there are broad interpretations of what a rootkit is, and,
while he personally did not think Symantec’s software qualified, he respects
the reasoning of the people making that claim. Symantec has posted its own
definition.

Symantec also addressed the issue in a statement, which said in part:
“The Norton Protected Recycle Bin functions differently than a rootkit. For
example, the Norton Protected Recycle Bin is detectable on a user’s machine,
documented for customers, gives end users a choice as to whether to enable
or disable the feature, and most all antivirus products will scan and detect
any malicious code that could potentially be stored in it upon attempted
execution.”

Weafer said Symantec is working with industry groups to try and narrow
the definition or scope of how the term rootkit is used. As for the hidden,
or Nprotect directory, as Symantec calls it, the update and patch makes it
visible inside the Windows Recycler directory.

News Around the Web