Symantec on Thursday disputed the claim by researchers who said it was using a rootkit to hide files from users.
The fracas stems from a long-standing practice in Symantec's Norton SystemWorks suite to cloak a special directory. The SystemWorks feature -- which harks back to SystemWorks' predecessor, Norton Utilities, a popular utility collection of the early- and mid-1990s -- is dubbed "Norton Protected Recycle Bin" and provides a way for users to retrieve files dropped into the regular Windows Recycle Bin.
Researchers from Helsinki-based F-Secure as well as Mark Russinovich of Sysinternals (and Sony rootkit fame) discovered that the invisible NProtect directory could be a hiding place for malware.
Symantec acknowledged as much in a security advisory published on its Web site this week. "Files in the directory might not be scanned during scheduled or manual virus scans," the alert read. "This could potentially provide a location for an attacker to hide a malicious file on a computer."
The Cupertino, Calif.-based security company pushed out a fix via its LiveUpdate service to SystemWorks 2005 and 2006 customers that same day. The update unveils the NProtect directory to Windows.
"The folder was hidden because when the feature was created, hiding the files made sure users weren't confused," said Vincent Weafer, the senior director of Symantec's security response group. The fear then, he added, was that users might accidentally delete the protected files if they came across them in Explorer.
"It was designed for a different era," Weafer said. "With threats increasingly resorting to stealth, we decided it's a greater risk to hide the directory than to open it."
Now that the directory is visible to Windows, on-demand anti-virus scans, including those by Symantec's own Norton Anti-Virus line, can look inside the folder to sniff through files. Previously, the only protection was provided by anti-virus on-access scanners which scan files as they hit the machine's memory.
What really griped Symantec, though, wasn't the necessary change to SystemWorks, but the "rootkit" label some, including Russinovich, have slapped on the technique of hiding the NProtect directory.
"It's a hidden folder, not a rootkit," said Weafer. "Mark has a very broad definition of rootkit. This is not a rootkit. Rootkits completely lack notification when they're installed, they can't be uninstalled -- while this feature can be uninstalled at any time -- and they cloak a broad range of content. This hides just one directory."
F-Secure, which originally brought the matter up with Symantec, seemingly agreed…to a point.
"We want to be clear on this: what Symantec was doing here was not nearly as bad as what Sony was doing with their rootkit," wrote Mikko Hypponen, director of anti-virus research, on the company's blog. The Finnish security company's BlackLight rootkit detection program noticed the Symantec practice last March.
In the next breath, though, Hypponen equated Symantec and Sony on a technical level. "The main difference between the Symantec rootkit and Sony rootkit is not technical," he wrote. "It's ideological. Symantec's rootkit is part of a documented, useful feature; it could be turned on or off and it could easily be uninstalled by the user. Unlike Sony's rootkit."
The confusion over what is -- and isn't -- a rootkit, added Weafer, has driven Symantec to open talks with other security vendors and groups, including CERT and IT-ISAC (Information Technology Information Sharing and Analysis Center, to create a universal definition.
"This is similar to where we were last year with 'spyware,'" said Weafer. "Since then, vendors have done a good job of neutralizing emotional arguments about what is or isn't spyware."
Nevertheless, Weafer said he agreed with Russinovich that given the increasing stealth of malware there are fewer reasons now to hide files or folders. "We'll all have to ask ourselves, 'do we really want to use this?'" he said.
Russinovich was not immediately available for comment; he has promised elsewhere, however, that he will update his blog later Thursday to include his findings on Symantec's cloaking, and perhaps other commercial developers as well.