What is PIFTS.exe?
by Jonathan Strickland | March 10, 2009
Something strange is going on across the Internet. Some Norton AntiVirus users are receiving pop-up messages alerting them about an application called PIFTS.exe that is trying to connect to a server. But what is PIFTS.exe? Why does it need to access the Internet? What is it trying to access? What connection does it have to Norton (or Symantec, the company that produces Norton-branded products)?
As of right now, we don’t have many answers to these questions. What we do know is that it appears to be linked to a Norton update cycle. Whether Symantec is responsible for the application or not still isn’t known. Nor do we know what the application’s purpose is. All we know is that the application appears to connect the user’s computer to a remote server.
To make matters more confusing, it appears that inquiries posted by Symantec customers to the official Norton forums have been removed. Other online communities like ZoneAlarm’s forum are now hosting discussion threads about PIFTS.exe. Tech-Linkblog has a post about the application that includes screenshots of posts in the Norton forums before they were removed. It looks like no one is quite sure what is going on, but there are several theories being bandied about.
One theory is that PIFTS.exe is part of an automatic update and is nothing to worry about. Another is that Norton has been compromised by malicious hackers. At least one theory is that the application would connect the user’s computer to a server in Africa. With threads disappearing from Norton’s forums, paranoia is understandably running high. Is Norton trying to cover something up? Or is someone else deleting the posts?
It’s possible that the entire debacle is much ado about nothing, but until Symantec addresses the issue in an honest and informative way we’ll probably see dozens of different theories ranging from an honest blunder to malevolent attacks on customers. My advice is to not allow PIFTS access to the Internet and to watch for an official statement from Symantec regarding the problem.
Update: Posts on Norton’s forum referencing PIFTS.exe continue to disappear. This has prompted some users to create new accounts and flood the forums with PIFTS.exe posts. Some users are including references to PIFTS.exe in other threads. A few users are protesting Symantec’s silence on the issue while others just want to raise a ruckus. I’ve sent an inquiry to Symantec to get to the bottom of this. If I hear back I’ll be sure to update this post.
Update 2: According to the Internet Storm Center, a Symantec employee has said that PIFTS.exe is harmless and is part of the Norton update process. I’ve not heard anything back from my own inquiry to Symantec.
Update 3: I have posted a follow-up story with Symantec’s explanation.
Update 4: We received a comment from a Norton Community Forums administrator. You can read the update here.
You might want to read up on the following articles from HowStuffWorks.com — you never know when they’ll come in handy:
How Computer Viruses Work
How Spyware Works
How Zombie Computers Work
-
[...] Hugh Jarss. Read this, What is Pifts.exe. It seems that its linked to Norton. I would try blocking it through the firewall and see if [...]
-
If it was something symantec/norton were willing to talk about, they would have made their users rest assured. But they are covering up instead. The whole forum is down now.
One common rumour is that it stands for “Personal internet file transfer system” and that it connects/transfers user data to an offshore host, so privacy laws arent a problem.
I agree with one thing though, just block it for now.
-
Beware your government!
-
My Norton granted access last night at 10:40 to this .exe file. My Microsoft Business Manager files were accessed at the same time. I don’t use Microsoft Business Manager, so it wasn’t anything I did.
-
David says:
This is why I consider Norton malware at best, a virus at worst. I removed it from all my computers and now use another brand.
-
Hi, I was wondering if you could help me with same electrical Questions?
1. How much power uses a Transformer from 120 to 24V ?
2. How does a dimmer switch works, and way does it save electricity?
Looking foreword to hearing from you Klaus. -
White Hat Hacks says:
“unknown” (12:34:11 PM): it accesses your IE temporary internet files
“unknown” (12:34:16 PM): your Browser History
“unknown” (12:34:19 PM): and google…http://www.mediafire.com/?mnmh35b9d0k
want it? have fun with it? here it is.. -
Doug says:
There’s one thing I’m reading about PIFTS.EXE on various blogs that isn’t squaring with my own experience. The suggestion is that this was a patch that was downloaded by LiveUpdate on or around March 3.
The problem is that I got a PIFTS.EXE warning on a machine that isn’t running Norton. On my laptop, McAfee (not Norton) popped up a warning on PIFTS.EXE trying to access the Internet on my PC.
A little sleuthing showed that the default uninstall of my OEM copy of Norton (which I removed back in December) was incomplete and did not remove certain files, including one that seems to be related to PIFTS.EXE.
I haven’t had Norton, or LiveUpdate, running on this machine since December. So what caused PIFTS.EXE to suddenly wake up today and try to access the Net? I have no Norton programs installed, but i do find a PIFSvc process running, and a service called “LiveUpdate Notice Ex” showing in task manager as stopped. I’m not familiar with either of these.
Could LiveUpdate continue running after a default uninstall of the Symantec software?
-
I jumped into this mystery early on, when the alert came up on my computer last night and only two or three inquiries about PIFTS.exe had appeared on the Symantec forum. If nothing else this’ll be a textbook model of how rumors and conspiracy theories begin and circulate on the internet.
Half an hour after my first search, the Africa rumor started with just one fellow claiming that if you dropped some numbers at the end of the destination IP it led to Africa. Someone else (very level headed) noted that the IP was for a US company that Symantec had just purchased. I haven’t encountered that idea again–odd since it seemed promising. Not to sound paranoid but could someone in a recently purchased company use Symantec for their own ends? Seems unlikely, but Symantec’s silence is extraordinary.
Within an hour or so, the news of this was all over the conspiracy-drenched “Above Top Secret” website, with predictable results. Now some “debunkers” are claiming Symantec’s deleting any reference to PIFTS.exe was just a rumor. Not so, I witnessed the deletions myself, and also the numerous later complaints that anyone who just inquired about it was locked out of the forum. Can’t wait to find out what is going on here.
-
I watched this happen last night. I have both Norton AV and Zone Alarm, and yes I saw the little Alert pop up. Not recognizing the program, I cliked on the link to properties. Pifts.exe had no (like zero) digital signature. Every Symantec module I’ve ever looked at says it’s from Symantec in some form or another and includes a version number. Pifts had no info whatsoever.
I opened the folder and right next to Pifts.exe was a file Pifts.dis. I don’t get much understandable info the the .dis extension, so I don’t know what that may have been….my best guess would be an info packet, but don’t quote me on that.
Mind you, my alert window is still open, and I haven’t done anything yet. I searched my computer for any more Pifts; none. Pifts.exe and the .dis are hanging around waiting for Zone Alarm to let them through. I continue to ponder this. I search Google and wind up at the Symantec forum reading some polite requests for info from Symantec on this file. No response. About a couple thousand hits later of others looking, politeness begins to drift south. It must have been pretty overwhelming for the mods. And I’m still wondering what to do.
Finally, I click the don’t let this connect EVER check box. I open the task manager and shut the process down. Then a strange thing happens, my search box says the folder where this file is doesn’t exist. Oh, my! So I look for it, because I thought I was seeing it. I know I was seeing it. Nope, it’s gone, it’s all folded up and gone away.
My curiousity is, if it’s part of their update process, why isn’t it signed?
-
Nice.
-
[...] be rapidly deleting any post mentioning the file from their forums. Here are some sample stories: What is PIFTS.exe? from HowStuffWorks. [...]
-
I’ve just corresponded with a corporate IT friend who works with Symantec Corporate software. He’s baffled & a bit spooked and says that he can usually get information from Symantec on near any inquiry within two minutes, but not this time.
The PC I’m currently on was not affected (it has Norton AV), however, a quick check of the logs shows that on the fourth of this month an unauthorized access was blocked by the PC’s Norton AV. The “destination,” oddly, was Norton Internet Security. This is the only time this has ever happened, although Norton will uncomplainingly log an “unauthorized entry” every time Spyware Doctor is used, which makes sense.
-
nix says:
This program is trying to connect to a site. The big question is: What’s the remote IP address?
Answer the above question should shed some light on the topic.
-
Adam says:
The official explanation cites, basically, the internet group Anonymous as the reason for deleting all PIFTS.EXE posts. This is absolutely false, as the Anonymous flood was sparked by Norton’s deletion of PIFTS.EXE threads from its forum.
The response, along with censorship at Digg, and similar reports to those of Bill Bodge make this entire situation really smell funny.
-
[...] inlägget på Symantecs forum finner ni här. Mer att läsa finns även hos Tkj, TechStuff och PC-feber. En enkel sökning på Google ger en hel del träffar för den som vill ha [...]
-
Stan Ting says:
4chan created a media craze out of nothing. This is all hype with little substance. In fact the majority of his statements don’t even make sense. A good article on what this file is and debunking some of 4chan’s comments can be found here:
http://www.bleepingcomputer.com/forums/topic210051.html
-
Anonymous says:
We are anonymous, we are success.
-
Ben says:
It was clearly witnessed by many people not affiliated with 4chan that these threads were being removed far before 4chan got involved. They are using /b/ raiding them (as a result of the threads being deleted) to play the victim in all of this.
People witnessed first hand their legitimate questions being removed far before 4chan /b/ got involved. 4chans involvement came into play when it was posted that threads regarding PIFTS.exe were being removed by Symantec.
-
I just read Symantec’s official explanation(s)of their behavior. What I saw early last night on the forum were a handful of very simple questions, mostly straight-up variants on “What is PIFTS.exe?” Next look, these innocuous comments were deleted. Several more sets of similar postings and deletions later, and a few concerned inquiries about WHY reasonable questions were being deleted, and the “spam” conveniently cropped up. When before has this forum ever been spammed? Regardless, if the forum was being “spammed” why didn’t Symantec just disconnect the forum and post an explanation of any sort? More significantly, why did they give customer service phone callers such a monumental runaround?
It’s obvious that Symantec is spinning this so it sounds like nothing particularly odd happened (just some bad software writing) and the real culprits were spammers, and people posting dangerous links on the Internet. What broke down here was Symantec’s customer service and possibly some internal communications. An influx of calls to a service center about something customer service was clearly in the dark about should have prompted a supervisor to wake someone up who then could have phoned a software geek who (like any software geek I’ve ever known) could have answered the PIFTS.exe question in his or her sleep. The result should have been Symantec saying “It’s this or that, and it seems to be causing a problem, and we’ll fix it.” I could respect that.
Now, Internet security isn’t just the public’s personal problem, it’s a national security issue. Not providing advice to customers ASAP on problems like this–stonewalling them even–and failing to provide any explanation for interminable amounts of time (nearly a half day!) is dangerous. Symantec claims one problem was the appearance of malicious sites claiming to have information on PIFTS.exe. If Symantec had quickly provided their customers with information of ANY sort these sites probably wouldn’t have had much success. I notice these bad sites turn up for any computer question anyway so why make a deal about it?
My plan is to write the Congressman and ask that this be investigated. President Obama is making Internet security an issue, and I think this incident shows how businesses, seemingly eager to protect their own reputations, can easily drop the ball and even turn an anxiety-evoking situation into a minor nightmare.
-
A last thing. This is cut and pasted from the Symantec forum page with their explanation of last night’s events:
“Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.”
Symantec needs to explain how “What is PIFTS.exe?” is a spam post. If they didn’t know what it was (a likely explanation) THEN they need to explain why information about what the company is doing is not getting to the parts of the company that interface with the public. People who phoned Symantec said the customer service workers had no idea what PIFTS.exe was, and were so nonplussed they were even recommending remote searches by Symantec for viruses and spy-ware.
Plenty of people out there took snapshots of those legitimate postings before they were deleted as spam.
-
[...] What is PIFTS.exe? Something strange is going on across the Internet. Some Norton AntiVirus users are receiving pop-up messages alerting [...] [...]
-
Lucian Solaris says:
It’s an intelligence ‘bug’.
-
One other thing that people should be aware of. Be extremely careful if you search the internet for information about PIFTS.EXE
The reason? Hackers have set up websites which claim to contain information about PIFTS, but are really designed to infect your computer with scareware (fake anti-virus products which try and frighten you into believing you have a security problem with your computer)
I’ve detailed some cases (with screenshots) of this occurring on my blog at http://www.sophos.com/blogs/gc/g/2009/03/10/malware-authors-jump-piftsexe-bandwagon/
Cheers
Graham Cluley, Senior technology consultant, Sophos -
Just drop the conspiracy theories on this one. Anything that was meant to be a “bug” would have been written by professionals and would have had all the proper coding, plus some. You’d never see it. Focus on what really happened, and Symantec’s response to it. Also, what kind of an amateur outfit is Symantec that they’re sending improperly coded material out? This is supposed to be a top computer security company and it looks like they hand some of their work to teenagers. There are serious enough questions to be asked here without getting too imaginative.
-
One thing you can never fully understand is computers.
-
[...] 11, 2009 This is a follow up from yesterday’s blog post. Yesterday afternoon, Symantec’s Norton Protection Blog broke silence and addressed the [...]
-
[...] inlägget på Symantecs forum finner ni här. Mer att läsa finns även hos Tkj, TechStuff, IDG.se och PC-feber. En enkel sökning på Google ger en hel del träffar för den som vill ha [...]
-
If You’re Looking For Information
Hello everyone — I work for Symantec’s public relations firm, Edelman. Just wanted to quickly point out that if you want more information on the PIFTS issue, you can go to Symantec’s user forum at http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39119&query.id=286857
Louis Cheng
Edelman Public Relations -
Norton is lying. People have asked about PIFTS for months and they’ve always banned everyone who asked. Only after 4chan got involved did this get attention.
PIFTS is a rootkit they use to spy on your computer and give to google, the US government, and some server in Africa.
-
[...] frenzy – absolutely amazing Online attackers feed off Norton forum purge • The Register What is PIFTS.exe? – The Blogs at HowStuffWorks "What is PIFTS.exe?" or How Symantec Turned A Simple Mistake Into Corporate [...]
-
Hello everyone,
I’m one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn’t happen again.
We launched the beta of the Norton Community Forums in April 2008. We’ve been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I’m not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.
We’ve spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We’ve also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123
Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or “cover up”).
We welcome you to join in on the discussion if you have any concerns that need to be addressed.
Again, we’re sorry for the mishap and all the confusion that this has caused.
Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com -
[...] regarding the disappearing posts referencing the PIFTS.exe situation (read up on PIFTS.exe here and here). We thought it best to share this as a new blog post rather than have it sit in the [...]
Recent Postings by Category
BrainStuff
- Interesting Reading #414 – The tiniest computer, hearts really can break, family pays $5,000 per year for connections, New font saves ink and much more…
- Public Service Announcement – Soft drinks nearly double your chances of pancreatic cancer
- Amazing – Going inside the Giant Crystal Cave
FanStuff
- What’s art — and what’s groundbreaking — in video games?
- Ursula K. Le Guin vs. Google Books: Round Two
- “Lost,” “Fringe” and That Whole Alternate Universe Thing
How-to Stuff
- How to Take a Road Trip, Abraham Lincoln-Style
- How to Explain Love in the Least Romantic Way Possible
- How to Quiet a Barking Dog
ScienceStuff
- Space Music Vol. 8: Sun Ra and Afrofuturism
- Stuff from the Science Lab Roundup: Space Eats and Grow Houses
- Why does time fly as you get older?
Stuff You Should Know
The Coolest Stuff on the Planet
High Speed Stuff
- The Toyota Recall: Where can you get the latest information?
- What is Toyota doing to fix its gas pedal problem?
- High Speed Stuff Wrap-up: Automotive Pet Peeves and Polar Vehicles
Keep Asking
- How does an airbrush work?
- Is the Internet free? If you want to make a website, will it cost you to put it online?
- If you look at a piece of glass from an angle, why does it have a bluish or green tint?
Stuff You Missed in History Class
- Last Week in History Podcasts: Battle Horses and Black Moses
- The Wonderful Adventures of the Nurse We Forgot
- Black History Month on HowStuffWorks
36 Comments