Symantec false positive cripples thousands of Chinese PCs
Virus signature update mistakes critical Windows files for malware
A signature update to Symantec Corp.'s antivirus software crippled thousands of Chinese PCs Friday when the security software mistook two critical Windows .dll files for malware.
According to numerous blog entries from Chinese computer users, a virus-signature database seeded yesterday mistook two system files of a Chinese edition of Windows XP Service Pack 2 as a Trojan horse that Symantec dubbed "Backdoor.Haxdoor." The antivirus software -- Norton AntiVirus, for example, or the antivirus component of the Norton 360 or Norton Internet Security suites -- then quarantined the netapi32.dll and lsasrv.dll files.
"With these files removed, Windows XP will no longer start up, and even the system Safe Mode no longer functions," said one user writing to the Alt.comp.anti-virus newsgroup this morning.
Late Friday, China time, the Chinese Internet Security Response Team (CISRT) posted an alert on its English-language blog. "It's a terrible day for lots of Chinese users (especially Enterprise Users) who use Norton products today," CISRT said. Other reports claimed that more than 7,000 users had already contacted Rising Antivirus International Pty, asked for help on how they could recover their PCs. On the Chinese security company's home page, its threat gauge was rated at red late Friday, the highest ranking this year.
In an e-mailed statement, Symantec acknowledged the signature update bug and said it re-released a new update late Thursday, U.S. time. The Cupertino, Calif.-based security vendor also said that only Simplified Chinese versions of Windows XP SP2 that have been patched with a Microsoft Corp. fix from November 2006 were affected.
If the PC hasn't been rebooted, users can grab the revised signature update to fix the problem, said Symantec. But if Windows was restarted after the flawed update, the user will have a much harder row to hoe. Because the bad signature update removed the two .dll files, Windows won't boot -- it ends in a so-called blue screen of death, said CISRT -- and so there's no way to retrieve the new signature or to restore from a backup.
"Customers impacted by this issue following reboot of an affected system can return their system(s) to the previous state through use of the Windows recovery console," Symantec said. XP's recovery console is a command-line-driven tool that gives limited access to the PC and its hard drive. Users writing on online forums recommended that users copy the two .dll files from their Windows restore CD to the hard drive.
A likely snafu in that scenario, however, is that many Chinese users don't have a restore CD because they're running pirated copies of Windows.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts