Symantec last week crippled a large number of Windows XP machines when it shipped customers a defective update to its antivirus software, the company acknowledged Friday.
"After a full evaluation and root cause analysis ... we have determined that the issue was limited to machines running a combination of Windows XP, the latest version of the SONAR technology, the July 11th rev11 SONAR signature set, and certain third-party software," said Orla Cox, of the company's security response team in a July 14 blog post.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Don't look now, but your antivirus may be killing your virtualization infrastructure. InfoWorld's Matt Prigge shows you how to detect the warning signs. ]
SONAR, for "Symantec Online Network for Advanced Response," is an anti-malware technology that spots suspicious, and possibly malicious, files by monitoring software behavior.
Symantec did not identify the "certain third party software" that contributed to the problem, which caused Windows XP PCs to show the notorious "Blue Screen of Death" error display, then reboot, only to endlessly repeat the cycle.
The closest the company came to pointing fingers was to note that the blue screens were triggered by software that "implements a file system driver using kernel stack-based file objects, typical of encryption drivers."
The SONAR update caused new file operations that created the conflict that led to the system crashes, Symantec said.
Users of SEP (Symantec Endpoint Protection) antivirus software, run primarily by enterprises, began reporting blue-screening XP systems early Thursday, July 12. Symantec later confirmed that other titles in its portfolio, including the consumer-grade Norton 2010, 2011, and 2012, as well as Norton 360, were also affected.
The flawed update was served to customers for about eight hours, from 6:25 p.m. PT on July 11 to 2:15 a.m. PT July 12, when Symantec yanked the update. It replaced the defective update about a half hour later.
Some users reported substantial numbers of affected Windows XP machines. Someone identified as Mark Daeth said more than 1,000 systems at his workplace had blue-screened.
"We have pushed out R12 to as many PCs as we can, but over 30 percent of our PC environment still will not boot," said Daeth on Thursday, referring to the revised SONAR update.
Daeth is the IT manager at Charlotte-based AAA Carolinas, the American Automobile Association group responsible for North Carolina and South Carolina members.
Not surprisingly, customers were irate, with one calling the gaffe "a total farce."
"The support is a joke, the quality control is a joke, and the software is not much better," charged Andrew Parkes in a comment appended to the Symantec blog. "Yes, I know these things happen, but any half decent quality control/testing process would surely of highlighted the issue?"
Symantec is the second antivirus vendor to cripple or damage Windows systems with a flawed update in the last two months.