Rootkits in Commercial Software, Rootkit in Norton SystemWorks?
Track this topic | Email this topic | Print this topic
Andrew
  Posted: Jan 16 2006, 08:21 AM


Chief of Staff


Group: Admin
Posts: 8,993
Member No.: 1
Joined: 17-November 04
Rootkits in Commercial Software (Sysinternals)

QUOTE
By now many of you have heard that Symantec released a security advisory last Tuesday that reported its use of rootkit-like cloaking technology in its SystemWorks product. The Symantec use of rootkit-like cloaking raises the question of what exactly defines a “rootkit” and whether or not there is ever a justifiable reason to use cloaking. I’ll first describe Symantec’s cloaking and then I’ll move on to trying to answer these two questions.

SystemWorks includes a feature called Norton Protected Recycle Bin that serves as an extension of the standard Windows Recycle Bin, saving copies of deleted files that the standard Recycle Bin doesn’t capture such as those deleted by applications. The saved files store in a directory named NPROTECT that SystemWorks creates under the standard Windows Recycle Bin directory, RECYCLER, of each volume. Symantec was originally concerned that end-users might stumble across the directory, not realize its purpose, and inadvertently permanently delete the backups of their already deleted files. The cloaking therefore uses a file system filter driver to mask the presence the NPROTECT directories from Windows directory enumeration APIs...

I'm getting tired of Symantec Products and don't think I will recommending or using any in the future. thumbsdown.gif
Top
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:
« Next Oldest | Computer Security | Next Newest »

Topic Options



Hosted for free by InvisionFree* (Terms of Use: Updated 2/10/2010) | Powered by Invision Power Board v1.3 Final © 2003 IPS, Inc.
Archive