Norton users raise concern over Pifts executable file

Internet users have raised concern on the Twitter site after permission was sought to allow an executable file to be downloaded.

Graham Cluley, senior technology consultant at Sophos, alerted Twitter users to the concern, claiming that there was ‘lots of internet babble and conspiracy theories around Symantec and a file called PIFTS.exe'.

He claimed that users of Symantec's Norton anti-virus products began to see firewall alerts asking them if they wanted to trust the program, and that ‘panic' grew as reports came in that questions posted on Norton's community forum about PIFTS were being deleted without answer. 

A report on the Slashdot website claimed that on Monday evening, on systems with Norton Internet Protection running, users began to see a popup warning about the executable file trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder, and there were several posts about this to the Norton customer forums asking for help or information on this mysterious program.

The poster claimed that there was an initial thread that received several thousand views and several pages of replies in a few short hours before being deleted, while several subsequent posts to the Norton forum were deleted much more quickly.

Swa Frantzen, an incident handler with the SANS Internet Storm Center, claimed that PIFTS.exe appears to be related to a Norton update since it has a component in it that leverages the user's internet connection to contact a web page at norton.com, which is owned and operated by Symantec.

Cluley claimed that some affected users have submitted the file in question to services like VirusTotal, with results showing that no anti-virus products appear to be classifying it as malware.

Cluley said: “The file appears to be entirely non-malicious, and related to Norton's security product. It's build date of Thursday March 5th, suggests it has only just been created. PIFTS attempts to connect to a webserver (stats.norton.com), passing information such as product name, version number and a series of other non-obvious parameters.

“The file PIFTS.exe is about 100k in size, so it would take some time to analyse in detail. However, we feel fairly comfortable in debunking the internet rumours claiming that PIFTS might be a rootkit or government-sponsored backdoor to spy on the masses. We think it's more likely that Symantec's programmers simply forgot to properly tag the file as having permissions to perform its functions.”

He further claimed that a private communication from a Symantec employee reassured him that the problem was more likely to be an error by one of their staff than a sinister plot against its users.

See original article on scmagazineuk.com