Pifts.exe?

Well, it hasn't appeared to have reache NBR yet, but here's something very interesting that cropped up while I was on 4chan... (I'd post the 4chan link but it's already down - reached max number of bumps)

http://it.slashdot.org/article.pl?sid=09/03/10/139229

http://answers.yahoo.com/question/index?qid=20090310003235AA44yBp

http://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html

http://digg.com/software/What_is_PIFTS_and_why_is_Symantec_covering_it_up

http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/

http://blogs.howstuffworks.com/2009/03/10/what-is-piftsexe/

http://www.theinquirer.net/inquirer/news/353/1051353/african-executable-raises-symantec-hackles

And as you'll read, Norton are killing any thread which mentions pifts.exe and even though the digg article has over 240 diggs it's not on the main site and searching for it yields no results. Also, pifts isn't showing up on Google's hot trends anymore (top 100 most searched for terms) even though a few hours ago it was nr. 6...

NOT ONLY THAT. I just rechecked SYMC on google finance, they used to link the the news articles related to pifts to the graph, now they've completely disappeared...

Man I wish I had a screenshot of that, I have the Inquirer and Washington Post screenshots though.

Sounds like a coverup, but for what?

 

I've read about it on several sites/fora, it's an enigmatic mystery, cloaked and covered in clouds...
According to some user posts, PIFTS.exe connects to stats.norton.com.
If you check the IP several users reported, it connects to SWAPDRIVE, a company that provided online backup services. ( link to Wilders forum)
They have been bought by Symantec last year.
(According to a post on TechCrunch, Symantec uses/used SWAPDRIVE to provide " the 2GB free backup that is included with every copy of Norton 360". link).

Symantec has indeed been very, very busy in removing every thread and post about this issue on their Community forum.
What Pifts.exe actually reports to Symantec is the big question indeed.
Especially if you don't use any online backup service/Norton 360.
To be continued I guess.

 

This is fishy to say the least.

 

To all.
Please be carefull when googling for PIFTS.exe.
Malware writers are well aware of the current interest in this issue and some webpages "about" PIFTS.exe will actually download a trojan to your computer, so be a bit carefull.
SANS Internet Storm Center link.
Cheers.

 

correct and they have been VERY quickly removing any threads on their forums. well time to move on for me. this is getting out of hand. either back ti kis2009 or ill start trialing again

 

their statement:

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

 

Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to hep determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.
"We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.
As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.
"We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."

 

hate it when immature morons ruin things for others

 

i am still 100000% uncomfortable with this whole thing. this ask.com thing first then the support issue now this. nortons failed big time on this one. i have so many customers using nis2009 and now i feel so bad for even recc it to them.

 

yeah i just recently bought NIS2009

i was thinking it would be worth it to pay for NIS over using Avira Free

 

i personally want to buy avira suite but imo its way to pricey. 130$ for 3 pc's is expensive imo. i get my nis2009 lic for free lol.. now i know why

 

After how terrible Symantec products have been the past few years, I LAUGH at all of you who were using NIS 2009 to begin with.

That said, I'm excited to see where this goes.

 

OK, it looks like this is the deal with Pifts.. human error and Norton released an unsigned patch: http://news.cnet.com/8301-1009_3-10192899-83.html

 

think so ^^^ see here:

http://anubis.iseclab.org/?action=result&task_id=19d7659347c3ebcd4a5ba7e9faa60fa14&format=html

 

PIFTS.exe or Product Information Framework Troubleshooter

This entry was created to answer the following key questions around PIFTS.exe:

- What is PIFTS.exe?
- What is the function of PIFTS.exe?
- What information does PIFTS.exe collect?

Norton security products contain a component called Product Information Framework (PIF), and a feature called LiveUpdate Notice (LUN).

LUN is an in-product messaging mechanism that is used to notify customers when new product versions are available. The messaging is targeted to particular systems based on product version, operating system version, and product state, and this state is determined by the PIF component.

For instance, LUN was used to notify users when a Vista compatible version of their product became available, and LUN will again be used to notify users when a Windows 7 compatible version of their product becomes available.

LUN is fully integrated into 2008 and later products, but is a standalone component in 2006 and 2007 products. LUN became available after the 2006 and 2007 products shipped, and was added to the 2006 and 2007 products using LiveUpdate (LU).

Symantec is aware of a problem affecting some 2006 and 2007 products where a subsequent PIF update did not successfully apply. The cause of this problem is currently under investigation, but the result is that these users may not receive appropriate LUN messaging.

To assist with identifying the extent, and potential cause, of the problem, Symantec created an investigative executable that analyzes the Norton product state, and reports the details to Symantec. This information will help Symantec to identify and correct the problem with PIF, in time for the Windows 7 release.

Product Information Framework Troubleshooter (PIFTS) executable details:

File name: PIFTS.EXE
File size: 102400 bytes
MD5 hash: 91b564d825a3487ae5b5fafe57260810

The PIFTS.EXE binary was released through LiveUpdate targeting 2006 and 2007 products. After downloading the LU package, LU executes PIFTS.EXE, and PIFTS.EXE collects product state information, and reports this information to Symantec.

PIFTS.EXE does the following:

- Determines what product is installed, NIS, NAV, N360, NCO, or NSW, by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of the installed product by looking at the file version information of a key product file.
- Determines if PIF is installed by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of PIF by looking at the file version information of two key PIF files.
- Determines if PIF is enabled, and what the PIF state is, by looking at the PIF registry under HKLM\Software\Symantec.
- Determines the version of PIF that LiveUpdate believes is installed, by reading the LU catalog.
- The collected information, as described above, is reported to a Symantec server, called stats.norton.com, using an HTTP GET request. This server is located at a Symantec datacenter located on the East Coast of the United States.

No additional information is collected, no personal information is collected, and no system modifications are made.

 

Complete and utter BS.

By the time I heard of the news it was around 7 hours in, and people were posting perfectly legitimate posts about it and then subsequently seeing them deleted and even banned from the Symantec forums. The reason people started spamming was BECAUSE Symantec had started to squelch the legitimate, the spam attack started about 8-10hours during which there was a period where Symantec were lagging badly. I hope that this wasn't some conspiracy and the reports of info being sent to an african IP are wrong but it is now March 11th, news of this started cropping up on the 9th, this is a major PR blunder and I believe that Norton has lost any trust it had from the "neutrals", of course this gave more fodder for the fanboys...

 

I agree. Very sad they decided to spoil what seemed to be, for the first time, a great product.

Don't kick yourself. You meant well. It is Norton which messed things up. You had the best of intentions given your experiences at the time.

 

Ironically, this week, I had decided...maybe...to give NIS 2009 a shot as my year with ESET was getting ready to expire.

Glad I read this forum!

 

at this time they are no longer sending out this patch. but who knows when they will start again and it then is a signed file and no one knows