The IT Nerd

There seems to be something up with Symantec lately as they’ve been in the news for all the wrong reasons over the last week. There are two stories that I’ll use as an example of this. The first details accusations by PC Magazine that Symantec support has “gone rogue”:

For my evaluation and review of Norton 360, I installed the product on a dozen malware-infested systems. Most installed and ran flawlessly, but one system had a blue-screen crash during installation. On restart the Norton 360 installer gathered and analyzed error logs, then offered a link to support. I was impressed—most products don’t have such resilient installers. I followed the link and initiated a conversation with chat support agent Mohanakrishnan (at least he didn’t claim his name was Bob).

Mohanakrishnan asked some questions and (with my permission) took a remote-control tour of the system. He pointed out one blatant malware symptom: a big screen from a rogue antispyware program claiming it had found terrible problems and offering to fix them, for a price. He escalated me to another support agent in the Virus Removal Department, after verifying that I had a valid registration key. Sorry, if you get stuck during a trial installation, chat support is not available.

Prajith, the second agent, asked a lot of questions about my online activities but didn’t bother to remote-control the system. He suggested I “remove the infection immediately.” I pointed out that was my intention—I’m trying to install Norton 360 so it can remove the infection. He continued that “expert consultants will do a complete diagnosis of your system, and troubleshoot any malware present on your computer.” Only after I agreed did he add that this is a for-pay service and ask if it would still be OK. He didn’t state the price, but later research revealed that it would have been $99.95 to get this $79.99 product installed.

Naturally I said no, I already have a license for the software, I just want to install it. He declared that I had only bought “the software, updates to the software and for the virus definitions,” not a guarantee that the software would install. I asked repeatedly for a solution other than paying extra but never got anything resembling an answer. Eventually, I ended the chat, carefully saving the transcript and a screen-capture movie I had made of the entire interchange.

When he shared his experience with Symantec, they responded with this:

Symantec confirms that the chat agent’s behavior was incorrect. “The support agent should have directed you to the free Norton Recovery Tool as a first step. It was an error on his part.” The company went on to say “We have shared this situation with executives on our support team, and we will ensure all customers are informed of these free options [Norton Recovery Tool and Norton User Forums] with regard to virus removal.” To prevent such errors in the future, the team is “increasing agent training and creating stricter instructions for agents to better communicate free malware removal options.”

Okay. That sounds fair, but the story doesn’t end there:

As it turns out, the story doesn’t end here. The Norton 360 installer still wouldn’t complete its job. On every reboot, the app went through its whole rigmarole again, collecting and analyzing log files and sending me to tech support. It wouldn’t complete the process and I couldn’t uninstall the incomplete program. Once again, I followed the links to chat-based tech support.

Murugash, the chat agent, remote-controlled the system and verified that the Norton 360 installation was stuck. No problem. He downloaded the Symantec Norton Removal Tool (SYMNRT) to my test system. This is Symantec’s answer to uninstallation problems that were common with older program versions. It removes all trace of all Symantec products. After running it he offered to “run a scan from the Norton security scan” to make sure all threats are gone. I asked if this is necessary, given that I’ve already scanned the system with the bootable Norton Recovery Tool. He said “it is a deep scan just from a online Norton program,” so I let him do it.

To my surprise, he downloaded and ran the free Malwarebytes’ Anti-Malware utility. This is, of course, not a Norton program by any stretch of the imagination. It did find a few traces of various threats left behind when the CD-based scan wiped out the executable parts. Now, don’t get me wrong. I have no grudge against tech support using free tools from other sources for cleanup. It’s a fairly common practice. I just resent it when they pass those tools off as their own.

Charming. When the author went back to Symantec, this was their response:

I went back to Symantec for an explanation of this misrepresentation. They said “We escalated the matter to our Support team and they are highly concerned that an agent used a non-Symantec solution to scan/clean your system. As you would expect, Symantec has its own products and internal tools at its agents’ disposal and it is proper protocol to use these tools when helping customers. Please be assured that the actions of this agent are not typical and are being immediately addressed.”

This by itself isn’t enough for me to write about this in my blog. But, this discussion on Slashdot caught my attention. Here’s the cribs notes version:

“[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available.”

From my perspective, an application that exists in a folder not accessible by the underlying operating system is a rootkit. Since rootkits are evil, this makes whatever this is evil. The fact that Symantec also seems to be zapping any discussion of this issue is the reason makes it looks like Symantec has something to hide. Also by zapping these discussions, Symantec has just become a victim of the Streisand Effect.

Sucks to be them.

As I write this, Symantec has nothing to say. Which further enhances the impression that they have something to hide.

A long time ago I used to recommend Norton products. Peter Norton had a good name in the industry and you could trust his stuff. Symantec bought him out in 1990, but the products were still good. But in or around 2002 / 03 things started to go south for them IMHO. For example, with some of their products you needed to use a special tool to remove their stuff in case they failed to operate properly or uninstall properly. That didn’t impress me. Plus their stuff seemed to be bloated (translation: it sucked so many resources that it slowed down your computer). Now I’m hearing about stuff like the above which makes me think twice about recommending them to customers, never mind using their stuff myself.

To be fair, their latest stuff seems to be better as it seems to be much less bloated and their detection rates are much better. But is it too little too late for them? I say that because even with all the positive press they’ve been getting lately (like this and this), I’m not sure that I could trust them enough to try their products again. Perhaps given time that might change. But if you factor in stories like the ones I’ve mentioned, they clearly aren’t helping their own cause in terms of improving their image.

UPDATE: Symantec has finally said something about that PITFS.exe file. This is all a “misunderstanding” according to Symantec, and they go about telling their side of the story.

This entry was posted on March 10, 2009 at 11:53 am and is filed under Commentary with tags Symantec. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.