Javamex home

Information about PIFTS.EXE

The short answer: calm down dear, have a cup of tea and get back to work— unfortunately, it looks like the end of the world is not nigh... just yet. Symantec, makers of Norton Antivirus, accidentally released a patch that was not digitally signed as being from them, causing it to hit the firewall. Read more information here.

Long answer...

Since yesterday, many users have noticed PIFTS.EXE hitting their firewall, asking to connect out. The file is from a Norton Antivirus update that, it turns out, was simply designed to gather some statistics about people using different versions of the antivirus.

Various forum/blog posts about the mystery PIFTS.EXE, which apparently link it to terrorists in dreadlocks, men in black and other general evil. The reason for the conspiracy theories appears to be in part because of the lack of clarity on the part of Symantec, publishers of Norton Antivirus. Users who posted messages to the Symantec forum asking for more information found that the posts were mysteriously deleted without further comment from the company on why. Some other reasons for alerting users' suspicions include:

• the file was not signed (which, in fact, is what caused it to hit various firewalls and be brought to public attention);
• after receiving the warning and denying access, users report that the file could then not be found, as though it was "covering its tracks".

Despite the furore, PIFTS.EXE is relatively harmless in the end. The program attempts to connect out to one of Norton's servers and, via parameters in the URL, "ping" it with information about versions of the antivirus components installed on the user's machine. It's just Norton gathering some boring statistics rather than the end of the human race as we know it.

What's interesting about this case is how virally nuggets of misinformation were spread— notably the notion that the file "connected to a server in Africa". In fact, as a disassembly of the program showed, and has now been revealed by Symantec, the program's activities are relatively innocuous:

[It] determines what product is installed [...] by looking under the HKLM\Software\Symantec\InstalledApps registry key.
[It] determines the version of the installed product by looking at the file version information of a key product file.
[It] determines if PIF¹ is installed [...]
[It] determines the version of PIF [...]
[It] determines if PIF is enabled [...]
[It] determines the version of PIF that LiveUpdate believes is installed [...]
The collected information, as described above, is reported to a Symantec server, called stats.norton.com[...].

Source: Symantec forum posting

1. PIF stands for Product Information Framework, apparently a component of Norton Antivirus.

Internet blogs/references:

• "Conspiracy theories": some interesting screenshots of forum posts apparently deleted by Symantec...!
• HowStuffWorks blog
• ZoneAlarm forum
• Buckeye Planet forum entry
• PIFTS.EXE Virus theory
• Yahoo Answers thread on the subject, with some more intersting links

N.B. Vista users should note that PIFTS.EXE should not be confused with PFTS.EXE (Parallel Fourier Transform Service). PIFTS.EXE reportedly stands for Pretty Indiscrete File Transfer Service.