Symantec false positive cause nightmare to China

The definition today cause the XP Simplified Chinese version file netapi32.dll and lsasrv.dll qurantined. It was dut to Microsoft patch MS06-070 and the symantec definition file. This makes millions of computer can't boot anymore, some finance and IT sector went into total disaster.

 

Re: Symantec faulse positive cause nightmare to China

Millions of users and corporation rush to get help from kaspersky, rising, kingsoft etc. I don't think Symantec China is just marketing, they are many technical guy added definition file. How could this happen? I doubt the quality of the definition, it is of course not tested on XP chinese version.

 

Re: Symantec faulse positive cause nightmare to China

http://img1.qq.com/tech/pics/4038/4038284.jpg

This is the picture, I think this is the worst damage by antivirus in the history.

 

Re: Symantec faulse positive cause nightmare to China

sh@ happens i suppose... all AVs have some FPs

 

Re: Symantec faulse positive cause nightmare to China

But this time matters for
1. system can't boot, so it is not easy to rollback the definition or exclude, only to use boot cd or ghost
2. This positive means the definition quality is not trustworthy for it is not tested under xp by symantec china for sure. Every antivirus company should take care about the test procedure, especially that claim it to be the most, big, reliable etc.

 

Re: Symantec faulse positive cause nightmare to China

I guess someone "forgot" to do their jobs. Is it strictly Norton 360 or all Symantec AVs? Norton 360 is more of a home user product, why would finance and IT use it?

--

 

Re: Symantec faulse positive cause nightmare to China

I think you don't know all the symantec product use the same definition file.
All the main news channel in china has reported this since 6 in the morning ECT +8, but symantec keeps silence, they are trying to release a rapid definition, maybe not necessary.

 

Re: Symantec faulse positive cause nightmare to China

Can anyone find a news article about this? I would like to read more about it.

 

Re: Symantec faulse positive cause nightmare to China

?

Shouldn't they be looking for help from Symantec? It could happen to any security firm.



tD

 

Re: Symantec faulse positive cause nightmare to China

You are very right , TD , but I am sure the OP is desperate . He/She is seeking for some kind of fast help because , you know, it is difficult to deal with such a big company like Symantec

 

Re: Symantec faulse positive cause nightmare to China

rapid definition release or not...the damage is done.

 

Re: Symantec faulse positive cause nightmare to China

Of course it is, but at first user think that it was the virus infection, and nortion can't deal with it, and the people ask for help is so many that rising call system is heavy and hard to call in.

 

Re: Symantec faulse positive cause nightmare to China

But this case is a little bit different, because those two files are critical system files. I think files belonging to OS should have highest priority to take the QA test before definition could be released.

FYI, netapi32.dll is a module that contains the Windows NET API used by applications to access a Microsoft network. And lsasrv.dll is an important security DLL which decrypts all local password hashing schemes on the computer.

 

Re: Symantec faulse positive cause nightmare to China

Symantec has offically confirm this problem, and said if people not restart yet, it can use the 20070517.071 released at 14:30(ETC +8 ), I can't find any link on their website to appologize. I think user may take legal action to prosecute, this is not kind of thing specified in the end user agreement, it was an evidence of not taking proper action.

 

Re: Symantec faulse positive cause nightmare to China

http://www.cisrt.org/enblog/read.php?100

 

Re: Symantec faulse positive cause nightmare to China

I found Rising has rise their alarm to red, this is the highest alarm this year.
Fortunately our company is using Trend, but our vendor is not so lucky, I had to delay the serial number upload. Home user found their computer can't use any more in the beginning of the day.

 

Re: Symantec faulse positive cause nightmare to China

Hi, folks: why would that ill-fated Symantec F.P. only render WinXp simplified Chinese version useless and not to all others? To the best of my knowledges, majority of PC users can buy their boxes naked(without any O/S preinstallted) from China's vendors(this may have changed recently due to pressure from Microsoft). Therefore, I would assume there is a good portion of winxp copies may not be so authentic, including some business identities. Let alone initiating a law suit with firm footing. Good luck to them.

 

Re: Symantec faulse positive cause nightmare to China

This time it was Symantec , but all of the rest of the AV community have released bad definitions in the past, and they probably will in the future. That is just part of the business of having to pump of the protection definitions as fast as they do trying to keep up with the malware writters. Personally I am just glad there aren't more incidents like this one. But you can be assured that another av company will pump out a bad definition in the near future. This is not an isolated incident.

 

Re: Symantec faulse positive cause nightmare to China

I know it could happen to any venders. However, what makes this case so different is the consequence. After symantec/norton antivirus quaratines the FP, xp could not be loaded followed by a reboot. It's a nightmare for average joes. Anyway, I am not bashing symantec. I just hope security venders could implement their QA tests more carefully and comprehensively.

 

Re: Symantec faulse positive cause nightmare to China

Please make comments like never using norton before, Of course this in an isolated indident. This kind of detect critical system file never happened before and will not happen on any company if he did a test whatever test.

 

Re: Symantec faulse positive cause nightmare to China

To take legal action in China is not so easy like western countries, people usually show their anger and reinstall their system. Newly sold brand PC or notebook is nearly all preinstalled xp, is much cheaper now, but it still 10% of my income per month(used to be 50%). I think these big company know Chinese don't like the court, so they are so haughty.

 

Re: Symantec faulse positive cause nightmare to China

Symantec is not the first to detect system files, I had Kaspersky delete several System files on my comp due to bad defs causing me to do a full reformat and restore. And yes I have used Norton for years and never had it do what it did in China.

 

Re: Symantec faulse positive cause nightmare to China

Hi, folks: if this kind of misfortune is inevitable among all AV vendors, then I would take this vaccine sooner rather than later. After this incident, I firmly believe Symantec will certainly implement a double safety mechanism to safeguard their reputation. Symantec users may in fact have a very good chance enjoying trouble free days and years. But who is next ? Please take a number.

 

Re: Symantec faulse positive cause nightmare to China

You mean like McAfee? I hope this does not translate into a loss in detection rates....

Anyway, yes this can happen for all the AVs, why, just recently (yesterday in fact ) ArcaVir flagged a driver in my system32 folder as riskware. Luckily it didn't delete it, so I was able to send it for analysis

I guess a problem for a company as big as Symantec is that they probably need to test the definition on a large number of products and sometimes also in different regional versions to check if there is incompatibility. Since Norton 360 only supports XP and Vista anyway I guess the researcher decided to test it on Vista and assumed it would work on XP. But hey, since I don't know anything this could very well be false.

As such Symantec has been known to always check all their definitions for FPs, they have some of the lowest FP rates in the world. So, if this happens with Symantec today, there's every chance it could happen in a more severe form with another AV.

 

Re: Symantec faulse positive cause nightmare to China

Kinda makes you wonder if the person who released the definition file at Symantec had a bad lunch special that day