Symantec explains Windows XP 'blue screen of death' outbreak

Symantec explains Windows XP 'blue screen of death' outbreak

Summary: The security firm is 'restructuring' its SONAR signature quality assurance process after an incompatibility took down a number of Symantec-protected Windows XP machines last week

TOPICS: Security, Windows

Symantec has explained a compatibility problem that saw some of its Windows XP-using customers experience the 'blue screen of death' last week.

The company said on the weekend that a "full evaluation and root cause analysis of the issue" showed that the only customers to be affected were those running XP, certain third-party software, the latest version of Symantec's behaviour-based SONAR technology, and the 11 July rev11 SONAR signature set.

"The root cause of the issue was an incompatibility due to a three-way interaction between some third-party software that implements a file system driver using kernel stack based file objects — typical of encryption drivers, the SONAR signature and the Windows XP Cache manager," Symantec Security Response team member Orla Cox said in a blog post. "The SONAR signature update caused new file operations that create the conflict and led to the system crash."

Cox detailed the many elements of Symantec's quality assurance process for SONAR signatures, but conceded that it failed to catch this problem before the affected signature set was rolled out. She added that the company was tweaking its testing process to make sure it didn't happen again, and no new SONAR signatures would be released until that "restructuring" has taken place.

After the problem manifested itself on 11 July, Symantec rolled back the rev11 signature set — it was only being pushed out by the company's LiveUpdate servers for just over eight hours.

Soon afterwards, Symantec posted updated — and less crash-prone — 'r12' signatures to the public LiveUpdate production servers.

"Once the signature was rolled back, no new issues were reported from the field," the security firm said in a summary of the incident.

Topics: Security, Windows

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • These anti-virus companies

    Instead of protecting the PCs, they are destroying it!!
    • They're killing them, alright.

      The problem was discovered in 4 hours and addressed within 8 hours following the discovery. Problem solved.

      Unless you were referring to Microsoft...
  • Mistakes happen

    This is the first such mistake from Symantec I am aware of. Dont use their AV. Prefer Avast.;
  • Blue screen of death.

    Problem found problem fixed. No big deal unless you're the guy with the blue screen of death. lol.
    Rick Sos

    I dumped McAfee for the same reason.
  • It does occasionally happen

    Having worked as head of tech support and product testing for a fairly large software company years ago, I can say that it's pretty much impossible to test with every third-party product that a user might have installed. At the software company where I worked, no two computers within the company were the same. We bought every different configuration we could think of and ran different versions of Windows on them so that every employee throughout the company became a "volunteer" beta tester. This was in addition to the regular QA employees whose job it was to "make it crash". We really ran our software through the wringer before a release, but sometimes found one configuration we had missed. When that happened, we fixed it immediately. At least Symantec responded quickly and effectively. I wish every vendor was that quick to fix their problems.