The definition today cause the XP Simplified Chinese version file netapi32.dll and lsasrv.dll qurantined. It was dut to Microsoft patch MS06-070 and the symantec definition file. This makes millions of computer can't boot anymore, some finance and IT sector went into total disaster.

Millions of users and corporation rush to get help from kaspersky, rising, kingsoft etc. I don't think Symantec China is just marketing, they are many technical guy added definition file. How could this happen? I doubt the quality of the definition, it is of course not tested on XP chinese version.

http://img1.qq.com/tech/pics/4038/4038284.jpg

This is the picture, I think this is the worst damage by antivirus in the history.

sh@ happens i suppose... all AVs have some FPs

But this time matters for
1. system can't boot, so it is not easy to rollback the definition or exclude, only to use boot cd or ghost
2. This positive means the definition quality is not trustworthy for it is not tested under xp by symantec china for sure. Every antivirus company should take care about the test procedure, especially that claim it to be the most, big, reliable etc.

I guess someone "forgot" to do their jobs. Is it strictly Norton 360 or all Symantec AVs? Norton 360 is more of a home user product, why would finance and IT use it?

--

I think you don't know all the symantec product use the same definition file.
All the main news channel in china has reported this since 6 in the morning ECT +8, but symantec keeps silence, they are trying to release a rapid definition, maybe not necessary.

Can anyone find a news article about this? I would like to read more about it.

{QUOTE-> Millions of users and corporation rush to get help from kaspersky, rising, kingsoft etc. <-QUOTE}
?

Shouldn't they be looking for help from Symantec?:dry: It could happen to any security firm.



tD

{QUOTE-> Shouldn't they be looking for help from Symantec?:dry: It could happen to any security firm.
<-QUOTE}

You are very right , TD , but I am sure the OP is desperate . He/She is seeking for some kind of fast help because , you know, it is difficult to deal with such a big company like Symantec

rapid definition release or not...the damage is done.

{QUOTE-> ?

Shouldn't they be looking for help from Symantec?:dry: It could happen to any security firm.



tD <-QUOTE}

Of course it is, but at first user think that it was the virus infection, and nortion can't deal with it, and the people ask for help is so many that rising call system is heavy and hard to call in.

{QUOTE-> sh@ happens i suppose... all AVs have some FPs <-QUOTE}

But this case is a little bit different, because those two files are critical system files. I think files belonging to OS should have highest priority to take the QA test before definition could be released.

FYI, netapi32.dll is a module that contains the Windows NET API used by applications to access a Microsoft network. And lsasrv.dll is an important security DLL which decrypts all local password hashing schemes on the computer.

Symantec has offically confirm this problem, and said if people not restart yet, it can use the 20070517.071 released at 14:30(ETC +8 ), I can't find any link on their website to appologize. I think user may take legal action to prosecute, this is not kind of thing specified in the end user agreement, it was an evidence of not taking proper action.

{QUOTE-> Can anyone find a news article about this? I would like to read more about it. <-QUOTE}

http://www.cisrt.org/enblog/read.php?100

I found Rising has rise their alarm to red, this is the highest alarm this year.
Fortunately our company is using Trend, but our vendor is not so lucky, I had to delay the serial number upload. Home user found their computer can't use any more in the beginning of the day.

Hi, folks: why would that ill-fated Symantec F.P. only render WinXp simplified Chinese version useless and not to all others? To the best of my knowledges, majority of PC users can buy their boxes naked(without any O/S preinstallted) from China's vendors(this may have changed recently due to pressure from Microsoft). Therefore, I would assume there is a good portion of winxp copies may not be so authentic, including some business identities. Let alone initiating a law suit with firm footing. Good luck to them.

This time it was Symantec , but all of the rest of the AV community have released bad definitions in the past, and they probably will in the future. That is just part of the business of having to pump of the protection definitions as fast as they do trying to keep up with the malware writters. Personally I am just glad there aren't more incidents like this one. But you can be assured that another av company will pump out a bad definition in the near future. This is not an isolated incident.

{QUOTE-> This time it was Symantec , but all of the rest of the AV community have released bad definitions in the past, and they probably will in the future. That is just part of the business of having to pump of the protection definitions as fast as they do trying to keep up with the malware writters. Personally I am just glad there aren't more incidents like this one. But you can be assured that another av company will pump out a bad definition in the near future. This is not an isolated incident. <-QUOTE}

I know it could happen to any venders. However, what makes this case so different is the consequence. After symantec/norton antivirus quaratines the FP, xp could not be loaded followed by a reboot. It's a nightmare for average joes. Anyway, I am not bashing symantec. I just hope security venders could implement their QA tests more carefully and comprehensively.

{QUOTE-> This time it was Symantec , but all of the rest of the AV community have released bad definitions in the past, and they probably will in the future. That is just part of the business of having to pump of the protection definitions as fast as they do trying to keep up with the malware writters. Personally I am just glad there aren't more incidents like this one. But you can be assured that another av company will pump out a bad definition in the near future. This is not an isolated incident. <-QUOTE}

Please make comments like never using norton before, Of course this in an isolated indident. This kind of detect critical system file never happened before and will not happen on any company if he did a test whatever test.

{QUOTE-> Hi, folks: why would that ill-fated Symantec F.P. only render WinXp simplified Chinese version useless and not to all others? To the best of my knowledges, majority of PC users can buy their boxes naked(without any O/S preinstallted) from China's vendors(this may have changed recently due to pressure from Microsoft). Therefore, I would assume there is a good portion of winxp copies may not be so authentic, including some business identities. Let alone initiating a law suit with firm footing. Good luck to them. <-QUOTE}

To take legal action in China is not so easy like western countries, people usually show their anger and reinstall their system. Newly sold brand PC or notebook is nearly all preinstalled xp, is much cheaper now, but it still 10% of my income per month(used to be 50%). I think these big company know Chinese don't like the court, so they are so haughty.

{QUOTE-> Please make comments like never using norton before, Of course this in an isolated indident. This kind of detect critical system file never happened before and will not happen on any company if he did a test whatever test. <-QUOTE}


Symantec is not the first to detect system files, I had Kaspersky delete several System files on my comp due to bad defs causing me to do a full reformat and restore. And yes I have used Norton for years and never had it do what it did in China.:(

Hi, folks: if this kind of misfortune is inevitable among all AV vendors, then I would take this vaccine sooner rather than later. After this incident, I firmly believe Symantec will certainly implement a double safety mechanism to safeguard their reputation. Symantec users may in fact have a very good chance enjoying trouble free days and years. But who is next ? Please take a number. ;)

{QUOTE-> Hi, folks: if this kind of misfortune is inevitable among all AV vendors, then I would take this vaccine sooner rather than later. After this incident, I firmly believe Symantec will certainly implement a double safety mechanism to safeguard their reputation. Symantec users may in fact have a very good chance enjoying trouble free days and years. But who is next ? Please take a number. ;) <-QUOTE}
You mean like McAfee? I hope this does not translate into a loss in detection rates....

Anyway, yes this can happen for all the AVs, why, just recently (yesterday in fact :)) ArcaVir flagged a driver in my system32 folder as riskware. Luckily it didn't delete it, so I was able to send it for analysis ;D

I guess a problem for a company as big as Symantec is that they probably need to test the definition on a large number of products and sometimes also in different regional versions to check if there is incompatibility. Since Norton 360 only supports XP and Vista anyway I guess the researcher decided to test it on Vista and assumed it would work on XP. But hey, since I don't know anything this could very well be false.

As such Symantec has been known to always check all their definitions for FPs, they have some of the lowest FP rates in the world. So, if this happens with Symantec today, there's every chance it could happen in a more severe form with another AV. :)

Kinda makes you wonder if the person who released the definition file at Symantec had a bad lunch special that day ;D

Lowest FP rate? According to av-comparative test? Have you ever used symantec corporate edition before? They offer rapid definition for corporation, so FP is happened much often than daily release, and I also niticed some in the sample test.
Symantec even warn network manager the outbreak of the Backdoor/Haxdoor, in fact it is the FP. After this incident, all their contact phone available is busy.

Yes, we can find FP in every product, but why nobody blame, did I forget to mention the damage?

{QUOTE-> probably need to test the definition on a large number of products and sometimes also in different regional versions to check if there is incompatibility. <-QUOTE}

probably? Yes, symantec says probably will work, you can try at your own risk.

{QUOTE-> Symantec users may in fact have a very good chance enjoying trouble free days and years. <-QUOTE}

Hope so. But stop cheer before ease the pain.

{QUOTE-> And yes I have used Norton for years and never had it do what it did in China. <-QUOTE}

I wish you lucky. Maybe we are not so lucky to use symantec.

{QUOTE-> But this case is a little bit different, because those two files are critical system files. I think files belonging to OS should have highest priority to take the QA test before definition could be released. <-QUOTE}
Well, take the number of important system files. Now, multiply it by the number of Windows language versions (OK, not all files are language-dependent, but many are, at least in XP). Now, multiply it by the number of possible builds (Windows versions, service packs, and also consider all the hotfixes released every month)...
It's pretty easy to miss some and have a FP on it.

{QUOTE->
probably? Yes, symantec says probably will work, you can try at your own risk. <-QUOTE}

You could put forward that argument, but in most cases the license agreement for most AVs in general say that the company will not be held responsible for any accidental damage caused due to using the product by means of an occasional problem. Remember that there is no express warranty certified for AVs or software in general, so by agreeing to that license agreement people are taking that risk.

The companies do their best to avoid false positives, of course, but if something happens, there is little chance any company can or will be taken to court about it. In the end, I guess its all about trust, and sometimes people must learn to live with it, since nothing is perfect and everyone has made mistakes at some point in their life. :)

Official claim from Symantec
http://www.symantec.com/zh/cn/enterprise/theme.jsp?themeid=important_information

According to their explanation, this FP was due to an automatic process that has been used for a while to combat the new threat. The third-party add-in has changed recently, so this automatic process make this accident. They said the problem has resolved, has has take proper action to avoid further such incident.

It seems that they mean SONAR, the FP rate is less than 0.004%, I can't remeber the exact rate.

Symantec say its the home users own fault for not having bought Nortons Ghost ;D ::)

I say more...it's home users fault because they open their computer that day:P

{QUOTE-> I say more...it's home users fault because they open their computer that day:P <-QUOTE}
Its Microsoft's fault for creating a Chinese version of Windows that triggered this FP. Its also the virus writers' fault that all this had to happen. Not to mention the people who decided to use the Chinese version of Windows instead of the time and tested English version. :P

;D ;D

{QUOTE-> This time it was Symantec , but all of the rest of the AV community have released bad definitions in the past, and they probably will in the future. That is just part of the business of having to pump of the protection definitions as fast as they do trying to keep up with the malware writters. Personally I am just glad there aren't more incidents like this one. But you can be assured that another av company will pump out a bad definition in the near future. This is not an isolated incident. <-QUOTE}



Like this incident from Trend Micro in the past?

{QUOTE->
2.594.00 is not the magic number

Trend Micro forced to apologise to customers for faulty update file.

A red-faced Trend Micro has apologised to its customers for the release of a faulty update file that caused chaos for thousands of computer users worldwide.

Official Pattern Release 2.594.00, released in the morning of Saturday 23 April (Japanese time), caused 100% CPU usage, system slow down, and in some cases complete system failure on machines running Windows XP SP 2 and Windows 2003 Server.

Although Trend staff removed the file from the Active Update list just 90 minutes later, the company estimated that it had already been downloaded between 300,000 and 350,000 times and support staff are reported to have received in the region of 370,000 calls about the problem. The fault was blamed on insufficient testing of the pattern file in the rush to add detection of the Rbot family of worms.

To add to its woes, Trend’s share price took a knock, falling 4.7 per cent, and it is expected that the incident will have an adverse effect on the company’s second quarter results.

23 April 2005
<-QUOTE}

http://www.virusbtn.com/news/virus_news/2005/04_23.xml

I remember this deal about Trend Micro as I was using it at the time. That was the only time I was glad I was on dial-up or I would have gotten that bad pattern, too. By the time I got online that evening the corrected pattern was uploaded.

{QUOTE-> Its Microsoft's fault for creating a Chinese version of Windows that triggered this FP. Its also the virus writers' fault that all this had to happen. Not to mention the people who decided to use the Chinese version of Windows instead of the time and tested English version. :P

;D ;D <-QUOTE}

:P ;D Perhaps this was a conspiracy to shutdown illegal versions;D:P

Just kidding ;D ;)

{QUOTE-> Its Microsoft's fault for creating a Chinese version of Windows that triggered this FP. Its also the virus writers' fault that all this had to happen. Not to mention the people who decided to use the Chinese version of Windows instead of the time and tested English version. :P

;D ;D <-QUOTE}
Yes.Its Microsoft's fault. A world use English version Windows. :)

{QUOTE-> To take legal action in China is not so easy like western countries, people usually show their anger and reinstall their system. Newly sold brand PC or notebook is nearly all preinstalled xp, is much cheaper now, but it still 10% of my income per month(used to be 50%). I think these big company know Chinese don't like the court, so they are so haughty. <-QUOTE}

you right, in china is not easy to take legal action, furthermore it is Symantec not local firm. users even big firms can only drink the sour milk i think.

{QUOTE-> Lowest FP rate? According to av-comparative test? Have you ever used symantec corporate edition before? They offer rapid definition for corporation, so FP is happened much often than daily release, and I also niticed some in the sample test.
Symantec even warn network manager the outbreak of the Backdoor/Haxdoor, in fact it is the FP. After this incident, all their contact phone available is busy.

Yes, we can find FP in every product, but why nobody blame, did I forget to mention the damage?



probably? Yes, symantec says probably will work, you can try at your own risk.



Hope so. But stop cheer before ease the pain.



I wish you lucky. Maybe we are not so lucky to use symantec. <-QUOTE}

it seems that the 2 big firms likely to have disastrous FPs from history. last time was mcafee, this time symantec.

I wonder what would happen if Symantec had the same higher level of FPs as others like Kaspersky, NOD32 etc. they'd be out of business. These smaller guys can afford to release signatures quickly without proper testing because they dont have a large customer base. Even with all Symantec's testing it still managed to let an FP slip. Small guys pay attention.

I think every AV.
Yesterday evening, Dutch Avira user got a false positive about TR/Patched.M.1 and winlogon.exe. The latest update, solved the problem..;D

http://forum.antivir.de/thread.php?threadid=22392&threadview=0&hilight=&hilightuser=0&page=1

i know its easy talk for me,and i allmost feel the pain and sorrow from over there,but armed with such instant recovery softwares like BootBack and the likes you can avoid these traps !!

Hasn't Symantec already issued an update? Have the complainers read the EULA?
This thread has worn out its usefulness. :thumbd:

Neowin finally picked up this story (from Infoworld):

http://www.neowin.net/index.php?act=view&id=40429

I see already by the comments the Norton bashers will have a field day with it.

{QUOTE-> Hasn't Symantec already issued an update? Have the complainers read the EULA?
This thread has worn out its usefulness. :thumbd: <-QUOTE}

It seems that you are asking if symatec still breathing, if you have little knowledge about the principal of the law, you will realize that there are some liability can not exempted in EULA, not to mention the company is going to do its business, they should keep their reputation.
Those only care about himself and not take lesson from this kind of incident will not got reply anymore.

By installing the Symantec software, you agree to the EULA.
Is there something I'm missing here?
Not to sound condescending, but performing regular backups/images and validating them as well as the restore procedure should be a part of every Windows user's regimen.
Even Microsoft has been advising this from the beginning.

{QUOTE->
Is there something I'm missing here?
<-QUOTE}

How about common sense?

Symantec dropped the ball on this, is that hard to understand?

Yes, you properly backup, good for you - but not everyone has the skill/habit/knowledge for painless recovery.


--

I believe this clause in the EULA covers this:

{QUOTE-> ...Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free... <-QUOTE}

Symantec EULA (http://www.symantec.com/home_homeoffice/media/eula/cpd.glbl.eula.template.drm.npm.pdf)

Another part to note:

{QUOTE-> ...IN NO EVENT WILL SYMANTEC OR ITS LICENSORS BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES... <-QUOTE}

I think all companies pretty much follow this.

Unless of course, the installer of the software uses a pirated/cracked version, which probably doesn't include the EULA... and gee, that *never* happens, right? ::)

Hi,guys, the principal of the law will not protect those have some explicit fault, even it is in the contract. The exempt duty is to protect little mistake that sometimes happen, customer will not buy the product anymore is the most powerful punish. Some one suggest let them do any harm for you have backup is naive enough, I am sorry if I push you to edge, make you feel abashment only to smear the user as nonlicet

I don't think anyone responding to the OP is being "pushed to the edge".
On the contrary.
It's no secret that piracy runs rampant in many countries; U.S., China, etc... a Google search will turn up many credible sources. Out of those pirated copies of Symantec software and Windows, I'm wondering if the following scenario would hold true: " Hey! I have a BSOD! It's Symantec's fault! Has anyone seen that pirated Windows OS disc to re-install those .dll's? Oh wait.. that disc has the old updater and Windows updates will check for that... anyone seen that cracked WGA disc? I hope *that* works...."
Was Symantec at fault? Probably. Is Symantec perfect? Not at all, and no software company, or anything for that matter in the human realm is. I'm not defending Symantec; far from it. There was a time when I was only a Windows user and also used to rely on Norton Anti-Virus for security. Those days for me are long gone, and I'm sure I'm not the only one. To those users using legitimate copies of software who were affected, I empathize. But anyone installing software with a EULA also knows there's always an inherent risk.
This could very well be a "wake-up call" for Chinese authorities to re-evaluate a certain dependency of having Western security apps running on a Western OS. Perhaps this incident could start a ground-swell movement in China towards Linux, or Open Source in general as a result of a certain broken trust level in Symantec and/or Windows. Who knows? Anything's possible.
Personally, I use Linux and BSD 95% of the time. My use for Windows is for gaming, and that box doesn't get connected to the Internet except for testing purposes. YMMV.

Private copy of windows is mainly the corporate version or changed by nlite, no need to activate and the symantec antivirus with no license or norton antivirus with phone activation, I had to say that in quality they are to some extent better than the payed one. The only problem to restore is using the console, that seldom people know how to use it regardless they payed or not.

Some more news from symantec, this afternoon, symantec china has hold a media conferenc to explain this incident, is in chinese.http://www.cnbeta.com/articles/27043.htm also today symantec annouced that it will setup Symantec Security Response Center in China.

{QUOTE-> I wonder what would happen if Symantec had the same higher level of FPs as others like Kaspersky, NOD32 etc. they'd be out of business. These smaller guys can afford to release signatures quickly without proper testing because they dont have a large customer base. Even with all Symantec's testing it still managed to let an FP slip. Small guys pay attention. <-QUOTE}

Not sure I agree with this. Having a false postitve is relative nomatter the size of the customer base. For example, it shouldn't make much difference if a fp effects 10% of customer base of Symantec or 10% of KAV or NOD. It's still 10% that will be unhappy with a product.

What probably makes more difference is that Symantec's target market is diferent than that of NOD32 or KAV. Symantec's personal editions seem to try to make pretty much all the decisions for the customer whereas KAV and NOD have some user decision making/interaction needed. Because user decision is sometimes needed (and expected by the user) a fp is not usually as big an issue with a KAV or NOD user as it is with a Symantec user. Either way, the customer will not be happy. But a fp with Symantec can lead to more disastrous results.

For me, I would be more upset with an av not detecting a virus than getting an occasional false positive. I have seen many people switch products because their av missed a virus. But an occasional fp, espeically with KAV or NOD is not that big of a deal. Especially NOD where you find out about a fp here on this web site pretty quickly.

it is not fair
why it happens to the XP Simplified Chinese version .
but luckily,I am not using Norton ,I am using 小红伞（AntiVir PersonalEdition Classic）~~~~

Symantec sued for false positive

http://www.virusbtn.com/news/virus_news/2007/06_01.xml
http://news.xinhuanet.com/english/2007-05/29/content_6170096.htm

I'm not too good at law, but am just wondering...
does this mean they are attempting to sue and claim compensation/sued
or
they have successfully claimed compensation/sued?