Flawed Symantec update cripples Chinese PCs
A Symantec antivirus signature update has mistakenly quarantined two critical system files in the Simplified Chinese version of Windows XP, crippling thousands of PCs in China.
According to the Chinese Internet Security Response Team (CISRT), users of Norton Antivirus, Norton Internet Security 2007 and Norton 360, who installed an antivirus signature update released by Symantec on May 17, could not reboot their PCs. The update reportedly mistook two Windows system files--"netapi32.dll" and "lsasrv.dll"--as the Backdoor.Haxdoo Trojan horse. The two files were subsequently quarantined.
CISRT said the flawed Symantec update only affects users of the Simplified Chinese version of Windows XP Service Pack 2 that have been patched with a particular Microsoft software fix available since November 2006.
CISRT noted that this issue has had a "huge" effect on Chinese PC users. It reported that more than 7,000 PC users have asked Chinese antivirus software Rising Antivirus for help in resolving the issue.
A spokesperson at Symantec Asia-Pacific and Japan confirmed the occurrence of the incident, but declined to reveal the number of Chinese Norton customers who were affected.
According to Symantec, the problem was caused when Symantec made a change to the automated process used by the company's security response team to detect malware.
The spokesperson explained: "Symantec Security Response uses a variety of automated systems to complement manual analysis in order to provide rapid response times to new threats. The automated processes have run successfully for several years and have allowed Symantec Security Response to dramatically increase the number of high quality malware detections it's able to provide, especially with the continued increase in the number of threats faced by customers.
"In response to the increased use of encryption in malware, a change was made to the automation recently to deal with these malware more effectively. This inadvertently resulted in a change to a single definition used by the automated system and subsequently led to two files being falsely detected as malware," she added.
Symantec said the false detection was immediately removed from the virus signature definitions. Symantec security experts then initiated a LiveUpdate--the company's automated software update process--posting to include the updated definitions. This LiveUpdate became publicly available at 22:50 (Pacific Standard Time) on May 17, about 4.5 hours after Symantec was notified of this issue.
Over the past two days, Symantec said, it has been reaching out to its customers and partners, to provide them with the updated file definition and the necessary steps to prevent further issues.
According to Symantec China's Web site, affected customers can resolve the problem by initiating another LiveUpdate, if they have not restarted their PCs after installing the flawed update. Systems that have already been restarted can be returned to the previous state by recovering the two system files from the Windows XP CD.
The latest incident follows earlier foul-ups by antivirus software vendors. In February this year, Trend Micro said a security flaw in its antivirus software could cause a PC to be non-responsive, or allow an attacker to remotely execute code and take control of a system. Later in March, Microsoft also incurred the wrath of Windows Live OneCare users, who had their e-mail messages in Outlook and Outlook Express deleted by the Microsoft antivirus software.