Symantec explains Windows XP 'blue screen of death' outbreak

Symantec has explained a compatibility problem that saw some of its Windows XP-using customers experience the 'blue screen of death' last week.

The company said on the weekend that a "full evaluation and root cause analysis of the issue" showed that the only customers to be affected were those running XP, certain third-party software, the latest version of Symantec's behaviour-based SONAR technology, and the 11 July rev11 SONAR signature set.

"The root cause of the issue was an incompatibility due to a three-way interaction between some third-party software that implements a file system driver using kernel stack based file objects — typical of encryption drivers, the SONAR signature and the Windows XP Cache manager," Symantec Security Response team member Orla Cox said in a blog post. "The SONAR signature update caused new file operations that create the conflict and led to the system crash."

Cox detailed the many elements of Symantec's quality assurance process for SONAR signatures, but conceded that it failed to catch this problem before the affected signature set was rolled out. She added that the company was tweaking its testing process to make sure it didn't happen again, and no new SONAR signatures would be released until that "restructuring" has taken place.

After the problem manifested itself on 11 July, Symantec rolled back the rev11 signature set — it was only being pushed out by the company's LiveUpdate servers for just over eight hours.

Soon afterwards, Symantec posted updated — and less crash-prone — 'r12' signatures to the public LiveUpdate production servers.

"Once the signature was rolled back, no new issues were reported from the field," the security firm said in a summary of the incident.