Symantec Explains Why an Antivirus Update Crashed Windows XP Machines

A compatibility issue involving a variety of software products interacted with versions of Symantec Endpoint Protection caused computers running Windows XP to crash during an automated antivirus definition update procedure.

Symantec has shed more light on why an update to its security software spawned the infamous "blue screen of death" for some of its customers.

An antivirus software update that Symantec issued on July 11 was discovered to be crashing Windows XP machines. According to Symantec, the problem was a compatibility issue in SONAR (Symantec Online Network for Advance Response) definitions. Once the cause was identified, the signature was removed from the definition set and an updated set was released July 12. No new issues have been reported since, according to the company.

"The root cause of the issue was an incompatibility due to a three-way interaction between software that implements a file system driver using kernel stack-based file objects," Symantec explained in a blog post. "The three-way interaction is between the software that implements a file system driver (using kernel stack-based file objects), the SONAR signature and the Windows XP Cache manager. The SONAR signature update caused new file operations that create the conflict and led to the system crash."

The blue screen of death describes what happens when various flaws cause Windows to crash, the computer locks up and displays a blue screen with some diagnostic data, which forces the user to reboot and often results in the loss of any data in the applications the user was working on when the crash occurred. The blue screen of death was much more prevalent in earlier versions of Windows, including XP, when it would be caused by a wide range of application and memory conflicts. The latest versions of Windows are generally more stable.

In this case it appears the blue screen of death was triggered due to interactions with several products, such as PGP Whole Disk Encryption, Sophos LanCrypt, SlySoft Virtual Clone Drive and Novell ZenWorks. The problem was isolated to certain Windows XP machines with file system drivers running Symantec Endpoint Protection Small Business Edition (SEP SBE) 12.1, Symantec Endpoint Protection (SEP) 12.1, Symantec Endpoint ( Mac customers and users of Symantec Endpoint Protection 11 were not impacted.

The incident caused a bit of an uproar among some of the company's customers, with several posting comments to a Symantec blog posted after the issue's discovery. A technology manager with Dutch company PSO Beheer BV told Reuters that the situation impacted some 150 PCs and forced the company to close a laboratory with equipment running Windows XP. Workers were sent home so they could access the network remotely, the manager, Ron van den Broek, told a reporter.

"It did have quite an impact on our business," he said last week. "My first impression is Symantec is downplaying the effects of this issue."

In response to the incident, Symantec detailed its assurance process for SONAR updates, which includes false positive and compatibility testing.

"The compatibility-testing part of the quality-assurance process for SONAR signatures missed catching this compatibility issue," noted Orla Cox of Symantec Security Response. "It is this part of our process that we will be improving to avoid future issues. We are currently restructuring our testing process to improve compatibility testing and will not be releasing new SONAR signatures until this new process is in place."

Editor's Note: This story was updated to clarify the description of the blue screen of death.