Symantec creates havoc with unsigned Norton patch

Mysterious Norton patch triggers firewall alerts and sends users flocking to forums where Symantec finds itself fending off a spam attack.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

March 10, 2009 3:17 p.m. PT

2 min read

Symantec released a diagnostic patch for some of its older Norton products on Monday night that did not identify its origin and thus triggered alerts on user firewalls, the company said Tuesday.

The patch for 2006 and 2007 versions of Norton Internet Security and Norton Antivirus, a program dubbed "PFST.exe," (Product Information Framework Trouble Shooter) was distributed to collect anonymous statistics on matters such as how many computers are using the products and what operating system they are running, Jeff Kyle, group product manager for Symantec consumer products, said Tuesday.

Because it was unsigned--a result of human error--firewalls started prompting users with messages asking them if they trust the patch, Kyle said. Of course, because the patch had no signature indicating it was from Symantec, users didn't know whether to trust it and many of them went to the Norton user forum for answers.

The company pulled the patch after three hours and then unwittingly laid the groundwork for conspiracy theorists after it started deleting forum posts related to the matter. The company was not censoring the posts, but fighting off a spam attack, according to Kyle.

"At the same time we were pulling down the patch a spammer created a new account on our forum and minutes after that there were 200 new users all targeting the same thread," he said. "Within the first hour there were like 600 posts to that thread. Obviously it was a bot creating this."

The posts were written with poor grammar and broken English and some were vulgar and nonsensical. It is possible, though, that Symantec could have inadvertently deleted some legitimate posts while it was purging the spam, Kyle said.

"There is no conspiracy theory. There's nothing we are hiding at all," Kyle added.

Meanwhile, Kyle said he isn't sure whether or when Symantec will redistribute the patch, but if they do, he said, it will be signed.

Symantec has more information on its message board site. The Washington Post reported that hackers were exploiting the situation and had managed to get malicious Web sites into top Google search results for "pifts.exe."

Updated 2:45 p.m. PDT with link to forum site and explanation, Washington Post reporting that hackers created malicious related sites that appear in Google search.