Symantec false positive cripples thousands of Chinese PCs
Virus signature update mistakes critical Windows files for malware
A signature update to Symantec Corp.'s antivirus software crippled thousands of Chinese PCs Friday when the security software mistook two critical Windows .dll files for malware.
According to numerous blog entries from Chinese computer users, a virus-signature database seeded yesterday mistook two system files of a Chinese edition of Windows XP Service Pack 2 as a Trojan horse that Symantec dubbed "Backdoor.Haxdoor." The antivirus software -- Norton AntiVirus, for example, or the antivirus component of the Norton 360 or Norton Internet Security suites -- then quarantined the netapi32.dll and lsasrv.dll files.
"With these files removed, Windows XP will no longer start up, and even the system Safe Mode no longer functions," said one user writing to the Alt.comp.anti-virus newsgroup this morning.
Late Friday, China time, the Chinese Internet Security Response Team (CISRT) posted an alert on its English-language blog. "It's a terrible day for lots of Chinese users (especially Enterprise Users) who use Norton products today," CISRT said. Other reports claimed that more than 7,000 users had already contacted Rising Antivirus International Pty, asked for help on how they could recover their PCs. On the Chinese security company's home page, its threat gauge was rated at red late Friday, the highest ranking this year.
In an e-mailed statement, Symantec acknowledged the signature update bug and said it re-released a new update late Thursday, U.S. time. The Cupertino, Calif.-based security vendor also said that only Simplified Chinese versions of Windows XP SP2 that have been patched with a Microsoft Corp. fix from November 2006 were affected.
If the PC hasn't been rebooted, users can grab the revised signature update to fix the problem, said Symantec. But if Windows was restarted after the flawed update, the user will have a much harder row to hoe. Because the bad signature update removed the two .dll files, Windows won't boot -- it ends in a so-called blue screen of death, said CISRT -- and so there's no way to retrieve the new signature or to restore from a backup.
"Customers impacted by this issue following reboot of an affected system can return their system(s) to the previous state through use of the Windows recovery console," Symantec said. XP's recovery console is a command-line-driven tool that gives limited access to the PC and its hard drive. Users writing on online forums recommended that users copy the two .dll files from their Windows restore CD to the hard drive.
A likely snafu in that scenario, however, is that many Chinese users don't have a restore CD because they're running pirated copies of Windows.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts