Hacking Symantec: Easy Peasy

Published on June 26, 2008 in General by Rami Taibah

Last week, the IT department had an epiphany, they decided to replace Mcafee Anti-Virus with Norton on all employees computers. Since I work in a company technologically retarded, the announcement almost went unnoticed with minimal opposition from all the departments. Only a handful (actually one besides me) didn’t like the decision. We discussed it a bit, that Norton is a resource hog, and will probably slow up our systems. However we begrudgingly obliged.

While I knew that my system was screwed, since I didn’t defragment for some time, had loads of unnecessary applications, didn’t clean my registry for a few month…etc. You know how XP could become after a couple of month of usage. The Norton installation was like the last nail in my laptops coffin. The system has become so annoyingly slow, that on more than one occasion I almost punched the screen! Switching between applications could take up to 30 seconds, sending out an E-mail would take another 30 seconds, random freezes while typing a document, it really got frustrating. I decided to take matters into my own hands. Step one: be the technological renegade I always been, get rid of Norton!

So I fire up my Control Panel, and then click on the Add/Remove Programs icon, click on the damn Norton icon and Remove. Oh oh not so fast cowboy, I needed a password:

At this point, a lot of ideas crossed my mind, smart guessing, brute force, social engineering…etc. But I decided to appeal to Google, maybe there was a default password I could use. After a quick 30 second Google, I landed on a forum, someone had the same exact problem I had, one suggested to fire up the Task Manager and kill a process run by the user (not System) called Msiexec.exe. My first thought, was NO WAY, it can’t be that easy! But decided to try it.

Lo and Behold! The uninstallation rolled and I had a Norton free system within a minute!

Now my question is: is this the kind of security millions of computer users and thousands of corporation depending on? How can such a hack go unnoticed for multiple versions (yes it has been around even for earlier versions) by such a “leading” computer security company? Didn’t any one report it? File a bug? Security through obscurity my ass!

About Rami Taibah

Rami Taibah the founder of The Linuxologist and a self proclaimed geek and Linux aficionado. This fall, he will be pursuing an MIMS degree at UC Berkeley, California. You can follow him on Twitter @rtaibah.

«

»

  • Thank you, I will try this on my machine today! ;)
  • OH MY GOD~!&#@($ Thanks dude that's very easy :))) luv ya :P (dont think me gay :) i luv u as bro) anyways thankssssssssssssssssssss
  • Reader
    That is sweat :)))) Still working - february 2009. Thanks alot.
  • Good one mate !!
    But lemme tell u a fact..non of the so called "secure systems" are 100% secure in this earth ..there is a "hack" exist for everything...after all "humans" code "machines" and "To Err Is Human, To Forgive Divine" ..So if you are really looking to make things better/secure you can initiate and report the "bug" instead of asking quesions in a remote forum.
    That's how bugs get fixed !!
  • Well I don't really care now do I? This is a Linux blog, and thanks heavens we don't have to deal with viruses and anti-virus programs that hog our systems....

    And nobody said there is a 100% secure system out there, the point was the most popular OS using the most popular anti-virus was hacked by someone like me. Who has no hacking/cracking/coding experience at all! I just used common sense....If such an obvious bug got through Norton's nets, what does that say about the company?
  • diz8
    Updated reg keys for Endpoint 11.0.2000.1253

    [HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security]
    "LockUnloadServices"=dword:00000000
    "UseVPUninstallPassword"=dword:00000000
  • kevin
    Anyone know what registry key setting is preventing me from being able to clear the logs? The CLEAR button in the log viewer is greyed out...
  • diz8
    Updated reg keys for Endpoint 11.0.2000.1253

    [HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security]
    "LockUnloadServices"=dword:00000000
    "UseVPUninstallPassword"=dword:00000000
  • Ivan
    For the technically challenged - Symantec site Downloads - Norton removal Tool. 8-)
  • Ivan
    For the technically challenged - Symantec site Downloads - Norton removal Tool. 8-)
  • awesome... so easy. the worse part is, a lot of people cant even do that...
  • awesome... so easy. the worse part is, a lot of people cant even do that...
  • reghax0r
    Why bother killing processes when you can just change two registry keys from 1 (00000001) to 0 (00000000):

    [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security]
    "UseVPUninstallPassword"=dword:00000000
    "LockUnloadServices"=dword:00000000
  • reghax0r
    Why bother killing processes when you can just change two registry keys from 1 (00000001) to 0 (00000000):

    [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security]
    "UseVPUninstallPassword"=dword:00000000
    "LockUnloadServices"=dword:00000000
  • That is absolutely amazing. They demand a password just so you can get rid of the bitch. What incredible audacity!
  • That is absolutely amazing. They demand a password just so you can get rid of the bitch. What incredible audacity!
  • amrush
    lol ... that's actually dumb I hope by the time I start working nothing would be changed :P ..
  • amrush
    lol ... that's actually dumb I hope by the time I start working nothing would be changed :P ..
  • The fact that you can uninstall (or install) anything just proves that your IT department sucks.

    Oh yeah, but then it was already obvoius with the Norton (or McAfee for that matter) thing as well.
  • The fact that you can uninstall (or install) anything just proves that your IT department sucks.

    Oh yeah, but then it was already obvoius with the Norton (or McAfee for that matter) thing as well.
  • guyonphone
    The default/backdoor password is (are you ready for this?) "symantec" typing that in usually lets you uninstall it.
  • guyonphone
    The default/backdoor password is (are you ready for this?) "symantec" typing that in usually lets you uninstall it.
  • @crotchet

    Dude! If you're going to say Fuck You, have the balls to say that shit, man! Quit being a fucking pussy! If you're going to hurl insults like that at a guy, grow a pair and do it right!

    F*** You? C'mon, loser. You're going to say fuck you and at the same time try to make it polite by censoring it? Make up your fucking mind.

    Pussy.
  • @crotchet

    Dude! If you're going to say Fuck You, have the balls to say that shit, man! Quit being a fucking pussy! If you're going to hurl insults like that at a guy, grow a pair and do it right!

    F*** You? C'mon, loser. You're going to say fuck you and at the same time try to make it polite by censoring it? Make up your fucking mind.

    Pussy.
  • MONKEY
    M$ will never fix Windows
    Too many eat with a bad system like Windows
    Symantec is trying to spread the hoax that Mac OS X is Vulnerable, so they can create new markets, but unfortunately nobody needs an antivirus on Unix system, because unless a virus has root powers it cannot cause any damage to the system, just to the user area.

    *Edited by admin: Caps removed*
blog comments powered by Disqus