The mystery of Symantec and PIFTS.EXE

PIFTS being blocked by ZoneAlarm
The internet is full of babble today – and a fair amount of conspiracy theories – after users of Symantec’s Norton anti-virus products began to see firewall alerts asking them if they wanted to trust a program called PIFTS.EXE.

Hundreds of users of sites like Twitter and Slashdot posted their concerns about the file, and support forums like that belonging to firewall vendor ZoneAlarm filled up with reports of users’ latest experiences.

And I think it would be fair to say that panic grew and conspiracy theories fermented as some users reported disgruntlement with Symantec’s response to the issue.

Some claimed that when they had tried to post questions on Norton’s online community forum about PIFTS they were deleted without answer.

Missing messages on Norton forum

But, as an aside, it was fascinating to see how quickly the news spread via sites like Twitter as regular users and security analysts shared links and information with each other:

Twitter users panic over PIFTS

Anyway, some affected users have submitted the file in question to services like VirusTotal – and sure enough no anti-virus products appear to be classifying it as malware.

The file appears to be entirely non-malicious, and related to Norton’s security product. It’s build date of Thursday March 5th, suggests it has only just been created.

PIFTS attempts to connect to a webserver (, passing information such as installed product information, version number, and a series of other non-obvious parameters. Some of this information it extracts from the Windows registry.

The file PIFTS.EXE is about 100k in size, so it would take some time to analyse in detail. However, we feel fairly comfortable in debunking the internet rumours claiming that PIFTS might be a rootkit or government-sponsored backdoor to spy on the masses. We think it’s more likely that Symantec’s programmers simply forgot to properly tag the file as having permissions to perform its functions.

Indeed, a private communication from a Symantec employee reassured us that the problem was more likely to be an error by one of their staff than a sinister plot against its users. We understand that an official statement from Symantec will be available soon.

Our guess is that PIFTS is some kind of feedback component designed to gather statistics about Symantec’s products, or an auto-update component.

If we find out any more we’ll let you know.

Update: Please be very careful if searching the internet for information about PIFTS.EXE. As we explain, malware authors are jumping on the PIFTS bandwagon by poisoning search engine results.

Update 2: Here’s that long-awaited statement from Symantec.

* Image source of ZoneAlarm alert: