Symantec Anti-Virus Update Crashes Windows XP Computers
The 'blue screen of death' displayed after a Windows XP system crash.
This story was updated with clarification from Symantec at 4:45 p.m. ET Tuesday (July 17).
Put together an anti-virus update, new-fangled encryption technology and a 11-year-old operating system, and what do you get?
Security giant Symantec admitted Friday (July 13) that updates pushed out to several of its software products two days earlier had caused computers running Windows XP to crash and display the dreaded "Blue Screen of Death."
"On July 11th, 2012 Symantec Security Response started receiving reports of customers experiencing blue screens after applying the July 11th revision 18 definitions," wrote Orla Cox of Symantec Security Response in a blog posting. "Machines may continue to blue screen after they reboot. This problem only appears to occur on Windows XP machines."
The affected products included Symantec Endpoint Protection 12.1 and its small-business and cloud-based variants, all of which are centrally managed products for corporate IT departments, and the consumer products Norton 360, versions 4 through 6, and Norton 2010, 2011 and 2012.
All those products use SONAR, Symantec's behavioral-based malware detection software. The faulty update was a malware-definition update, which adds to the library of known malware, not a software update.
"After a full evaluation and root cause analysis of the issue, we have determined that the issue was limited to machines running a combination of Windows XP, the latest version of the SONAR technology, the July 11th rev11 SONAR signature set, and certain third-party software," Cox later wrote.
Cox did not identify the third-party software, but in the discussion forum attached to her posting, a Symantec employee explained that the conflict was with various kinds of whole-disk-encryption software.
Whole-disk encryption, also known as full-disk encryption, is the practice of encrypting a computer's entire hard drive in order to prevent unauthorized access. The business-oriented versions of Windows Vista and Windows 7 include it as an option, as does Mac OS X 10.7 Lion.
Symantec did not specify which companies' products were involved, but it listed Microsoft BitLocker, Novell ZenWorks, Sophos LanCrypt and WinMagic SecureDoc, along with the Symantec-owned PGP Whole Disk Encryption, as well-known examples of whole-disk-encryption software.
"Once the cause of the issue was discovered, the signature was removed from the definition set and an updated definition set was published," wrote Symantec manager Michael Marfise in another blog posting. "This 'rollback' of signatures was done on July 12th at 2:51AM PT. Once the signature was rolled back, no new issues were reported from the field."
Update: In an email to SecurityNewsDaily, Symantec said it had confirmed problematic interactions with Novell ZenWorks, PGP Whole Disk Encryption, SlySoft Virtual Clone Drive and Sophos LanCrypt. Microsoft BitLocker apparently did not cause problems.