Symantec “Proactive Threat Protection” BSOD

The Microsoft CEO preferred to call it the blue...of opportunity

I was asked by a reporter to comment on this issue so here are my comments.

There used to be a joke in security circles that the only way to secure Microsoft software was to pull the cables out of the back of a computer.

That was the first thing that came to mind when I read that “Proactive Threat Protection” software was the cause of a new rash of Blue Screen of Death (BSOD) in Windows XP. Nothing hurts the case for security like an outage caused by security.

The second thing that came to mind is related to the points I recently made about Windows XP file system decay. The fact that Microsoft is not maintaining the XP file system (NTFS) in the same manner as their newer OS might be the key to this issue. I could see how it might catch Symantec off-guard.

Details are still emerging but the official Symantec statement is in an article titled SEP 12.1 Win XP Users Experiencing Blue Screen when running Proactive Threat Protection Definitions July 11th 2012 rev 11.

In short, their Endpoint product released an update that was incompatible with other software trying to access the XP file system (including Symantec’s own PGP). There now should be low to no risk of a problem because the cause was isolated and removed from the update flow. The replacement update proved that it was fixed.

This incident may prompt some users to consider other vendors, yet Symantec is not the first anti-virus company to release an update that causes a major outage. I can think of at least two major international incidents related to bad updates by other large and well-known vendors. Some may also consider dumping proactive threat protection, but that’s a whole other post…

The problem affected numerous other products so it seems that this flaw was common enough to have been caught in QA, assuming they are testing for compatibility with the divergence between Windows 7 and Windows XP. Symantec needs to take a serious look at why PGP was in the list of affected systems, for example. Does Symantec even use in-house their Endpoint product with their PGP product on Windows XP?

Since the fix was to remove the bad update and replace it with one that is able to work with the other products it’s clear Symantec was at fault. Here is how they said it, three times over:

The compatibility testing part of the quality assurance process for SONAR signatures missed catching this compatibility issue. It is this part of our process that we will be improving to avoid future issues. We are currently restructuring our testing process to improve compatibility testing and will not be releasing new SONAR signatures until this new process is in place.

In other words, their proactive threat protection soon will protect you from them, which isn’t a bad thing to say. It also should be said they responded quickly with a fix.

One thought on “Symantec “Proactive Threat Protection” BSOD”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.