Suicide by Root Kit removal
At this point I'm less inclined then ever to suggest that any anti-malware product attempt this removal, since Sony now displays the following on their page regarding uninstalls:
Quote:
November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.
http://cp.sonybmg.com/xcp/english/form14.html
Only if this new uninstaller doesn't become available in a reasonable time frame (a couple weeks for development and testing) and/or doesn't truly remove the software completely and safely at that point should this be considered.
Until then, only removal of the hidden attribute of the 'Root Kit' technology and blocking of the problematic ActiveX control used with the earlier uninstaller should be considered. In fact, I feel that removing the hidden attribute is itself dangerous, since some users may then attempt to delete the files manually, which is known to be dangerous to the stability of the PC.
In addition, this cooling off period gives Team Spybot time to thoroughly test the detection and removal process on multiple platforms for all variants of the software currently known to exist, if they are indeed working on such a thing at all. If such removal is attempted, the potential for failure and damage to a PC is the responsibility of those removing it, not Sony.
By declaring this DRM package 'malware' some will feel they are justified to remove it, safely or not. Those who do this and fail will find out how quickly the public can turn on them since the last thing the user did was 'scan and fix' with their program, they won't care what was being removed or what disclaimers the software contains about such possibile damage.
Symantec Norton Protected Recycle Bin Exposure
January 10, 2006
Quote:
Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer.
Symantec has released a product update that will now display the previously hidden NProtect directory in the Windows interface.
http://securityresponse.symantec.com...006.01.10.html
January 12, 2006
Quote:
Symantec just admitted that the "Norton Protected Recycle Bin," or "NProtect" feature of Norton SystemWorks, deliberately conceals a directory from Windows APIs to protect the files from accidental deletion. A commercial security vendor using rootkit technology? Unbelievable. Symantec explained its thinking in a security bulletin. "When NProtect was first released, hiding its contents helped ensure that a user would not accidentally delete the files in the directory. In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory. We have released an update that will make the NProtect directory visible inside the Windows Recycler directory. With this update, files within the NProtect directory will be scanned by scheduled and manual scans as well as by on-access scanners like Auto-Protect."
http://www.computerworld.com/blogs/node/1573