It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Originally posted by LooseLipsSinkShips
Does this only affect new installs or isn't something Norton automatically searches for (during updates) and downloads to your PC? Do all norton users have this file or just certain people?
Originally posted by MoonMine
29 pages and noone bothers to disassemble pifts.exe..
I was sent a rar file with the original patch files, started looking and found the thread on ATS imagine that... Comes around...
Full disassembly uploaded here
www.megaupload.com...
In human terms
I am PIFTS.exe
Start
what type of version of Symantec products are you running?
are you running any Product Information Framework (P.I.F.) software?
really? Then please tell me what version..
O, it is version as described by 60333AE5-B66E-4994-B15C-CA2D665CDC89.
Well in that case I have to inform you that a have some new code for you, here you go.
And in all cases, I am making sure that I write my stats back to the norton server, may I please do that?
Y/N
Sorry, I have to ask, but someone who wrote me forgot to sign me, so I am visibly annoying you with a question, causing 38.000 posts on the Norton Community forum, and giving a bad rep to anti virus engineers everywhere.
SWC00413C48_Software_Symantec_InstalledApps:
unicode 'Software\Symantec\InstalledApps',0000h
SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
unicode '\PIF\[B8E1DD85-8582-4c61-B58F-2F227FCA9A08]',0000h
SWC00413CE0_Norton_Internet_Security:
unicode 'Norton Internet Security',0000h
Align 4
SWC00413D14__s_NisProd_dll:
unicode '%s\NisProd.dll',0000h
Align 4
SWC00413D34__d__d__d__d:
unicode '%d.%d.%d.%d',0000h
L00413D4C:
db 4Eh; 'N'
db 00h;
db 41h; 'A'
db 00h;
db 56h; 'V'
db 00h;
db 00h;
db 00h;
SWC00413D54__s_NavUI_dll:
unicode '%s\NavUI.dll',0000h
Align 4
SWC00413D70__s_NavProd_dll:
unicode '%s\NavProd.dll',0000h
Align 4
SWC00413D90_Norton_SystemWorks:
unicode 'Norton SystemWorks',0000h
Align 4
SWC00413DB8__s_NSWAlert_dll:
unicode '%s\NSWAlert.dll',0000h
SWC00413DD8__s_NSWCfg_dll:
unicode '%s\NSWCfg.dll',0000h
SWC00413DF4_Norton_360:
unicode 'Norton 360',0000h
Align 4
SWC00413E0C_N360:
unicode 'N360',0000h
Align 4
SWC00413E18__s_NTPAlert_dll:
unicode '%s\NTPAlert.dll',0000h
L00413E38:
db 4Eh; 'N'
db 00h;
db 50h; 'P'
db 00h;
db 50h; 'P'
db 00h;
db 00h;
db 00h;
SWC00413E40__s_NCOAlert_dll:
unicode '%s\NCOAlert.dll',0000h
L00413E60:
db 2Dh; '-'
db 00h;
db 31h; '1'
db 00h;
db 00h;
db 00h;
db 00h;
db 00h;
SWC00413E68_Version:
unicode 'Version',0000h
SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
unicode '[60333AE5-B66E-4994-B15C-CA2D665CDC89]',0000h
Align 4
SWC00413EC8_systemState:
unicode 'systemState',0000h
SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
unicode 'SOFTWARE\Symantec\PIF\[B8E1DD85-8582-4c61-B58F-2F227FCA9A08]\PifEngine',0000h
Align 4
Symantec is telling the truth, period.
MoonMine out
PIFTS.EXE and User Information Disclosure and System Changes There are numerous reports claiming that PIFTS.EXE collects and submits user data, specifically reading of IE browser cookies, and claims that PIFTS.EXE makes system modifications, specifically changes IE settings, and further reports that these claims are substantiated by automated analysis systems. PIFTS.EXE uses the Microsoft Windows InternetOpenURL() API to submit the collected PIF state to Symantec. The InternetOpenURL() API internally reads various system configuration settings, including Microsoft Internet Explorer settings and files, and can also result in changes to the IE cache and temporary files folders. PIFTS.EXE does not directly read any user data, PIFTS.EXE does not directly make any system changes, and PIFTS.EXE does not transmit any user data to Symantec. To demonstrate the InternetOpenURL() API behavior, I created a small application called TestPIFTS.EXE. This is a Windows application, written in C++, and compiled using Visual C++ 9.0 SP1. The application does nothing more than open a URL on the Symantec web server. The full source code and binary is available for download, here is a summary: szAgent = _T("TestPIFTS"); szURL = _T("http://www.symantec.com/index.jsp"); InternetOpen(szAgent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); InternetOpenUrl(hInternet, szURL, NULL, 0, 0, 0); InternetCloseHandle(hURL); InternetCloseHandle(hInternet); To analyze the TestPIFTS.EXE behavior you may use a variety of forensic and troubleshooting tools, including the Microsoft Process Monitor utility used to observe system modifications, and the Microsoft Network Monitor utility used to observe network communications. Using Process Monitor you will notice that TestPIFTS.EXE reads lots of registry keys, reads lots of files, and makes some changes to the IE cache and temporary files folder. Using Network Monitor you will notice that TestPIFS.EXE generates a HTTP GET request to the www.symantec.com server. All the system and network activity is a result of using the InternetOpenURL() Windows API. Some of the reports substantiate their claims based on the automated analysis of PIFTS.EXE by the Anubis server. For comparison, I submitted the harmless TestPIFTS.EXE binary to the Anubis server for comparative analysis. The Anubis analysis of PIFTS.EXE and TestPIFTS.EXE (the application that does nothing more than open a URL on the Symantec web server) produces the same results, including the modification to the system. Yet, the TestPIFTS.EXE source code clearly shows no system modification or data collection is taking place. I could also not reproduce the Anubis system registry modification results using Process Monitor. PIFTS.EXE does not directly read any user data, PIFTS.EXE does not directly make any system changes, and PIFTS.EXE does not transmit any user data to Symantec. Here are the reports for PIFTS.EXE and TestPIFTS.EXE: anubis.iseclab.org... anubis.iseclab.org...
Originally posted by wiredamerican
I think I have got a hint by somebody doing some digging. Here is a statement about what he is speculating. It is Spying on its users! I have a feeling they are deleting the posts in the norton message board because their terms of service problably forgot to include about the spying part.
Originally posted by Did you see them
Note the use of the word "directly"
int __cdecl fetch_url(LPCWSTR lpszUrl)[
HINTERNET hInet; // eax@1
int err; // esi@1
DWORD err2; // esi@4
err = 0;
hInet = InternetOpenW(&szAgent, 0, 0, 0, 0);
if ( !hInet || !InternetOpenUrlW(hInet, lpszUrl, 0, 0xFFFFFFFFu, 0, 0) )[
if ( (signed int)GetLastError()
Originally posted by RFBurns
...Obviously you need some networking classes.
The hardware I sit behind is quite effective, customizable and has worked for my purposes for over 10 years. Now I have never had ANY virus attacks, or attempts to get into my networks since installing this system, and it seems to work extremely well.
The two routers, the industrial ones, are not your typical off the shelf wal mart made in china POS's. These are Cisco routers
and I control those in real time on seperate pc's running nothing but their control software.
The other 3 are typical off the shelf routers to which each are in fact both firewalls and router combinations.
Then there is of course the OS firewalls...useless IMO.
Anyway what works for me is working just fine. And has been for 10 years. Obviously I am doing something right..and everyone else is not with all this cry wolf over some file getting into their systems.
Originally posted by baahl
...An ethereal trace showing exactly what it is being sent to their server would be a good step in proving or debunking that it is doing something nefarious.
...
29 pages and noone bothers to disassemble pifts.exe..