But developers can also talk themselves into using rootkits for legitimate purposes. Im sure the people at Sony and First 4 Internet (the company that actually wrote the DRM rootkit Sony used) considered their motivations pure: to protect the music on the CD from unauthorized copying. I can sympathize to a point with this, but they handled so many things badly that it was impossible give them any credit for having a legitimate goal.
Now it turns out that Symantec, of all companies, has been using a kind of rootkit as part of its SystemWorks product. As part of the "Norton Protected Recycle Bin" feature, it stored files in a directory that it kept hidden from the user and other programs through basic rootkit techniques.
I used SystemWorks on one of my main desktops for several years, and I remember coming across this when doing offline scans of the system. I should have known better, even if it was maybe three years ago, but I quickly realized what they were up to and said to myself that I understood why they did what they did.
I wasnt the only one who should have known better. Symantec should have known better too. Im pretty sure that Norton Protected Recycle Bin, which tries to be a safety net for users who too casually delete files, has been around for many years. I remember it from a long time ago, and I suspect it goes back almost all the way to Windows 95. I dont know if the directory-hiding nonsense goes back that far; perhaps earlier versions were less "sophisticated."
There really is a legitimate goal behind this feature: to protect users. The original unerase relied simply on the fact that the FAT system only marked files in the directory as deleted and their clusters in the FAT as available, and it was possible to re-create the entry and reallocate the clusters. But under Win32 it was possible to go a step further: save deleted files in a special cache, structured as a queue so that the most recently deleted would stay alive the longest.
And because Norton SystemWorks instills in its users an obsessive-compulsive desire to neaten and tidy-up their systems, perhaps even to their detriment, they decided to hide the actual directory. You could empty it out using what seems like a redundant option for emptying the Protected folder, but you have to go through multiple warnings.