Symantec: The computer did it

Computerworld - Symantec Corp. today blamed its automated threat analysis system for producing the buggy signature update that has crippled millions of Chinese PCs.

The virus signature update released last Friday around 1 a.m. Beijing time forced Symantec's antivirus scanning engine, which is used in both consumer and corporate security products, to mistake two critical system files as a Trojan horse. The two files -- netapi32.dll and lsasrv.dll -- in the Simplified Chinese edition of Windows XP Service Pack 2 (SP2) were falsely quarantined. Their absence wouldn't let Windows start if the PC was rebooted.

According to corporate spokeswoman Linda Smith Munyan, Symantec's security team fingered an automated process for the damage done. "Symantec uses a variety of automated systems to complement manual analysis in order to provide rapid response times to new threats," said Smith Munyan in an e-mail. "The automated processes have run successfully for several years and have allowed Symantec to dramatically increase the number of high quality malware detections it's able to provide."

Something went wrong, though.

"In response to the increased use of encryption in malware, a change was made to the automation recently to deal with these malware more effectively," she said. "This inadvertently resulted in a change to a single definition used by the automated system and subsequently led to 2 files being falsely detected as malware."

Symantec became aware of the false positive around 9:30 a.m. Friday, Beijing time, said Smith Munyan, and four-and-a-half hours later pushed out a revised signature update that corrected the false reading. But that was too late for anyone who had rebooted their PC in the intervening 13 1/2 hours. To restore their systems, those users had to replace the missing .dll files, either from a Windows XP SP2 installation or recovery CD, or by copying the files from a working machine.

Since last night, Symantec's Chinese-language Web site has posted prominent warnings on its home page of the false positive problem, with links to a FAQ that includes PC restore instructions. It also offered toll-free telephone support numbers that consumers and enterprise customers can call for assistance.

The company will make changes to how it creates and tests virus signature updates, promised Smith Munyan. "Symantec Security Response has taken action to address processes to ensure future changes to automated systems will not result in misdetections," she said. "Furthermore, Symantec Security Response has made specific changes to the certification procedures that will help to prevent similar false positives, including adding additional checks before definitions are released."

Symantec declined to answer other questions, including an estimate of the number of affected systems and whether it would make restitution to users whose PCs were rendered useless.

The nearest event in scale to the Symantec false positive was a 2005 brouhaha after Trend Micro Inc. released a virus-definition file that slowed thousands of PCs to a crawl. Three months later, the antivirus vendor admitted that the incident had run up $8.2 million in direct costs.

Read more about security in Computerworld's Security Knowledge Center.