Interface design failures – Symantec Endpoint Protection

Continuing on the interface-design-that-is-so-dreadful-it-turns-people-off-technology thread, here’s a true gem I got a few days ago.

As I was minding my own business, using my computer in the low-maintenance way I’ve come to use it over the years, this thing popped up:

Symantec Internet Security popup

Yes, we use Symantec Endpoint Protection at work. What I don’t want it to do, is interrupt what I’m doing to ask me if it may… do its job. The LuCallBackProxy.exe program is part of Endpoint Protection. You would think that a product that is supposed to protect you from the bad guys, at the very least can differentiate between itself and untrusted programs trying to communicate with untrusted remote sites.

But no, this is Symantec Endpoint Protection itself, asking if it’s OK for it to do its job, treating one of its own components as a potential threat, giving you no good reason for it, making the user construct conspiracy theories about trojaned software or just throw up his/her hands and click “OK” once more.

Users are not given an indication of why the trapped action might be dangerous and are not empowered with understanding of what’s going on on their machine. But really, that popup should not have been there.

6 thoughts on “Interface design failures – Symantec Endpoint Protection

  1. The question you have to ask yourself is: Is that the real LuCallBackProxy.exe program or a fake one?

    I’m just kidding. It’s probably the real one – at least I hope so. lol ;)

    Did you figure out why it’s trying to talk with that IP?

  2. Nah, not worth chasing I reckon.

    There is a threshold to how much effort I will take nowadays trying to understand why a certain piece of software is behaving the way it does, and it’s getting lower by the day…

  3. Hi,

    I just came across your post.

    This could be a fake program appearing as SEP. Our application is digitally signed while the one in your dialog above is not. My recomnmendation is to open up a ticket with Symantec Technical support and have them either walk upi through the process of getting this submitted for analysis by our Response group or getting your system cleaned up.


    Director, Product Management
    Symantec Endpoint Protection

    • As our own tech support are not willing to investigate this (it’s easier for them to just re-image the machine), how can I as an end user open a ticket with Symantec Technical Support to submit this for analysis?

  4. Additional update.

    The server the system is trying to reach is a broadband provider in Russia. This system does appear to be an exploit that is attemptiong to act like one of the SEP processes. If these types of pop-ups are confusing to the end user that can be turned off so that pop-ups from malicious software will be automatically handled by denying access.


  5. Thanks for the comment Jim, I’ll follow up with Symantec Tech Support.

    From an interface design point of view then, there are two improvements that would have vastly helped me make the right security decision:

    1. Check if the suspicious application is legit. If it’s in C:\Program Files\Symantec and it’s NOT digitally signed, it should be flagged as *dodgy, proceed with caution*.

    2. Have a IP-to-country automatic lookup routine that shows a country flag right next to the suspicious IP. Had I seen a Russian flag right next to 95.3033.145, I would instantly know what to do.
    This method is already used by the “Conspiracy” Firefox plugin to warn users against potential SSL MITM attacks. “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” is the research paper behind it. Seems easy to implement and intuitive enough to help end users do the right thing. I’d like to see this in Symantec products.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s