Norton (Anti)Virus
The number one security-related threat to Mac users at Stanford is Symantec’s Norton AntiVirus 10.0. With backing from Residential Computing (Rescomp), Norton AV has caused more pain and suffering at Stanford than any OS X-based virus could aspire to.
How It Spread
Before I get into the dastardly nature of Norton AV and how to kill it, I’d like to cover its propagation from Rescomp. Naturally, Rescomp requires faculty and students to register their devices before they can use them to access Stanford’s network. The first step in this process is to run their Computer Health Tool, some software that, among other shady data mining operations, will prevent registration if it doesn’t find any anti-virus software installed.
A variety of anti-virus suites satisfy the Computer Health Tool (see the bottom of the CHT’s page for a list) but Stanford’s recommendation for Panther, Tiger, and Leopard users is Norton AV. Rescomp has a crazy licensing deal with Symantec and offers Norton AntiVirus 10.0 free to anyone with a Stanford ID, as part of their “Essential Stanford Software” suite.
Basically, anyone who isn’t hyper-aware of where Rescomp is directing them will follow this path to a Norton AV install: registration requires Computer Health Tool check, Computer Health Tool check requires an anti-virus program, and Stanford provides Norton AV. Most students I’ve talked to whizzed through every “Continue” button in this process, and all regretted it.
The easiest way to avoid ending Rescomp’s registration process with Norton AV installed is to specify an archaic operating system (OS 8 or 9 will both do) when prompted to download the Computer Health Tool. This will bypass the CHT altogether and lead directly to registration, without getting Norton AV involved at all.
Why It Sucks
Rescomp acknowledges some of the “malware on OS X” dialogue’s finer points in its description of Norton AV:
The majority of the virus and worm attacks do not effect Macintosh users. However, some users may unwittingly promote virus attacks if they use Microsoft Outlook or other MS products.
Indeed, whether Mac users need anti-virus software at all is debatable. Whether Mac users need a steaming pile, however, is not—and Norton AV is significantly closer to the latter than the former. In fact, Norton AV has all of the essential qualities of a nasty computer virus: it mucks about in system folders, invades most aspects of the Mac user interface, bogs down the CPU, causes hangs and crashes, is difficult to cleanly uninstall, and generally decreases productivity while generating frustration.
Norton AV’s first sin is its installer, which forces the user to install 18 separate components. I love how the “Customize” interface teases with greyed out radio buttons:
Symantec doesn’t include any list of installed files in Norton’s readme or user guide. So, I used Pacifist to examine Norton AntiVirus Installer.pkg’s 18 components and compile a list of every file it copies to the hard drive during an installation of Norton AntiVirus 10.0:
/Applications/Norton AntiVirus /Applications/Symantec Solutions/* /private/etc/Symantec.conf /Library/Application Support/Norton Solutions Support/* /Library/Contextual Menu Items/NAVCMPlugin.plugin /Library/Documentation/Help/Norton Help Scripts/* /Library/Frameworks/Stuffit.framework/* /Library/Preference Panes/APPrefPane.prefPane /Library/Preference Panes/SymantecQuickMenu.prefPane /Library/PrivateFrameworks/SymAppKitAdditions.framework/* /Library/PrivateFrameworks/SymBase.framework/* /Library/PrivateFrameworks/SymNetworking.framework/* /Library/PrivateFrameworks/SymScheduler.framework/* /Library/PrivateFrameworks/SymSystem.framework/* /Library/StartupItems/NortonAutoProtect/* /Library/StartupItems/NortonMissedTasks/* /Library/Widgets/Symantec Alerts.wdgt /System/Library/Extensions/KTUM.kext /System/Library/Extensions/SymEvent.kext /System/Library/Extensions/SymOSXKernelUtilities.kext /Users/Shared/NAV Corporate /usr/bin/navx
During use, Norton AV will also generate several preference files in ~/Library/Preferences/, which can be identified by the “com.symantec” in their filenames.
There are several objectionable elements in the above file list. The first item, Norton AntiVirus, is an alias to /Applications/Symantec Solutions/Norton AntiVirus.app. To counter stupidity like this, I don’t think OS X should support aliases that link to files they are separated from by less than two directories. If Symantec wanted more presence in the Applications folder, why didn’t they just install Norton AntiVirus.app there in the first place and avoid the useless alias altogether?
Notice that Norton populates an astounding eight folders in /Library, which makes it a ubiquitous presence in OS X. Norton AV 10.0 includes four application bundles, a menubar item, a widget, a contextual menu item, and not one, but two preference panes. These various manifestations rely on three background processes (not including the widget) which, according to Activity Monitor, are responsible for eating around 30 MB of real memory. Words cannot express how obnoxious this is. If I could right click with all four Norton applications open, my dashboard forward, and System Preferences up, I would actually see seven independent manifestations of Norton AV at once, all with overlapping featuresets and options. Holy Norton-spam:
The pathetic part is, Norton AV could easily be just as useful if it comprised one preference pane and one background process.
Stuffit.framework is the backbone for Smith Micro’s Stuffit (.sitx) archive format, a relic of pre-Tiger days when the Mac was not .zip-friendly. Why Norton AV uses Stuffit I have no clue, but its presence in the installer is yet another indication that Symantec is behind the times—so behind the times, it turns out, that Norton AV relies on an outdated version of the outdated archive format, and is actually broken by Stuffit updates.
Finally, and most crucially, Norton AV commits a faux pas by installing three kernel extensions in the /System directory, which is reserved for the inner workings of OS X and generally should not be messed with. The first section in Apple’s article on kernel extensions is “Why to Avoid KEXTs,” and warns
Finally, for security reasons, some customers restrict or don’t permit the use of third-party KEXTs. As a result, use of KEXTs is strongly discouraged in situations where user-level solutions are feasible…When you are trying to determine if a piece of code should be a KEXT, the default answer is generally no.
I’m not a programmer, but Norton AV does not achieve any functionality that I’ve been unable to duplicate using other applications which do not rely on any kernel extensions. This leads me to believe that its kernel extensions fall into the category of “strongly discouraged in situations where user-level solutions are feasible,” and are ultimately unnecessary tampering with OS X’s internals. In any case, their sheer number (three .kext files for one anti-virus suite) makes Norton AV’s presence in /System shady at best.
I won’t get into the Norton AV user experience much. It rivals the installation in suckiness. I’m just going to cover one egregious behavior that is responsible for much angst, force quitting, and hard rebooting at Stanford: Auto-Protect.
Auto-Protect is an on-by-default “feature” of Norton AV that protects Mac users by crashing their computers when they plug in their iPods. More specifically, it automatically scans every file on every removable disk upon mount, checking for malware that might produce such nuisances as, say, 100% CPU load upon mounting a removable disk.
Where Auto-Protect runs into trouble is with drives containing thousands of files—iPods and external hard drives, for example. The task of indexing and scanning each file on such a massive disk is enough to occupy any Mac’s CPU, cause OS X to hang, and, in many cases I’ve observed, lead to a beach ball of death and a hard reboot. At the very least, Auto-Protect forces users to click “Cancel” whenever they mount a disk image—a process that is by now responsible for costing Stanford students and professors enough man-hours to prove the Riemann Hypothesis and then go out for celebratory drinks.
Auto-Protect might be a good idea, if it operated with any intelligence whatsoever. It doesn’t remember disks it has scanned before or recognize “trusted” disks such as iPods or external drives. And here’s something mind-blowingly ironic: Auto-Protect actually scanned the Norton AV disk image—and, potentially worse, deemed it safe for installation!
Stanford is making a serious mistake by recommending that Mac users install Norton AntiVirus. I wouldn’t touch Norton AV even if I believed that Macs were involved in the spread of malware at Stanford, and other Mac owners at Stanford should do anything in their power to avoid it.
Instead, I recommend the simple, free, and open source virus scanner ClamXAV. ClamXAV requires only one file to keep your computer healthy: ClamXAV.app.
How to Uninstall It
This post wouldn’t be complete if I didn’t offer Norton AV’s victims a way out.
Symantec was kind enough to include an uninstaller as one of Norton AV’s 18 components: /Applications/Symantec Solutions/Symantec Uninstaller. In Norton AV’s tradition of behaving quite like the viruses it was created to destroy, however, the uninstaller only deletes a fraction of Norton AV’s installed files.
To perform a real uninstall, a) manually delete every file I listed above or b) run the uninstaller and then clean up the remaining garbage by hand. Option b is faster, especially because I’ve already gone through the trouble of finding all the files that the uninstaller neglects:
/Library/Application Support/NAV.history /Library/Application Support/Norton Solutions Support/* /Library/Frameworks/Stuffit.framework/* /Library/StartupItems/NortonAutoProtect/*
Don’t forget the “com.symantec” .plist files that Norton generates in ~/Library/Preferences. These are also missed by the uninstaller.
In short: run the uninstaller, trash the above files, and restart to begin a new, happier, life without Norton AV. If Rescomp asks to run their Computer Health Tool, feign outdated-ness and specify OS 8.
I sincerely hope that Rescomp sees a surge in the number of Macbooks running archaic operating systems come next year’s network registrations—every computer that avoids Norton is a small victory for Stanford’s Mac community.
6 Responses to “Norton (Anti)Virus”
Hey Joe, the site’s really come a long way since that first time you told me about it, really nice. Also looks like you’re attracting some traffic. As for the post, two our of three schools I’ve been to have done this sort of thing. Marquette required me to put a copy of McAfee Virex on my iBook before registering with the network and Illinois Tech refused to support my PowerBook because “I did not have appropriate virus protection installed.” The latter of the two incidents I was told that my computer was acting as a DNS server for half the people in my building, so go figure. Happy new year and good luck taking on these rescomp people :).
Wonderful
Your page helped me to finally completely uninstall norton anti-virus. Thanks a lot!!!
finally, got rid of the auto-scan!!!
Thanks!
This article popped up when I was at near-give-up stage did a random click on side 8 of Google’s return on
“uninstall nav mac”. (believe me I tried many other search strings).
So, there we go. YOU are the definitive source for the file listings that got the NAV puss squeezed out from my System Preference’s skin.
( NAV still appeared as TWO preference settings, long after uninstall).
Happy midsummer //DJ
Let me thank you for posting this information. It is well laid out, informative, referenced, and, best of all, it works. My time capsule was getting stuck on “preparing” as that useless Autoscan mount program was running- even though I had it configured it not to scan. I deleted all the files listed, got rid of the Symantec/ Norton application, restarted, and backed up without any trouble. Thanks again
I wish to cancel my Norton as it is not required anymore.
Thank you for this mater.
Leave a Reply