Symantec false positive cause nightmare to China

Discussion in 'other anti-virus software' started by ink, May 18, 2007.

Thread Status:
Not open for further replies.
  1. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    The definition today cause the XP Simplified Chinese version file netapi32.dll and lsasrv.dll qurantined. It was dut to Microsoft patch MS06-070 and the symantec definition file. This makes millions of computer can't boot anymore, some finance and IT sector went into total disaster.
     
  2. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Re: Symantec faulse positive cause nightmare to China

    Millions of users and corporation rush to get help from kaspersky, rising, kingsoft etc. I don't think Symantec China is just marketing, they are many technical guy added definition file. How could this happen? I doubt the quality of the definition, it is of course not tested on XP chinese version.
     
  3. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
  4. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Re: Symantec faulse positive cause nightmare to China

    sh@ happens i suppose... all AVs have some FPs
     
  5. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Re: Symantec faulse positive cause nightmare to China

    But this time matters for
    1. system can't boot, so it is not easy to rollback the definition or exclude, only to use boot cd or ghost
    2. This positive means the definition quality is not trustworthy for it is not tested under xp by symantec china for sure. Every antivirus company should take care about the test procedure, especially that claim it to be the most, big, reliable etc.
     
  6. Maysky

    Maysky Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    11
    Re: Symantec faulse positive cause nightmare to China

    I guess someone "forgot" to do their jobs. Is it strictly Norton 360 or all Symantec AVs? Norton 360 is more of a home user product, why would finance and IT use it?

    --
     
  7. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Re: Symantec faulse positive cause nightmare to China

    I think you don't know all the symantec product use the same definition file.
    All the main news channel in china has reported this since 6 in the morning ECT +8, but symantec keeps silence, they are trying to release a rapid definition, maybe not necessary.
     
  8. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    Re: Symantec faulse positive cause nightmare to China

    Can anyone find a news article about this? I would like to read more about it.
     
  9. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Re: Symantec faulse positive cause nightmare to China

    ?

    Shouldn't they be looking for help from Symantec?:cautious: It could happen to any security firm.



    tD
     
  10. ASpace

    ASpace Guest

    Re: Symantec faulse positive cause nightmare to China

    You are very right , TD , but I am sure the OP is desperate . He/She is seeking for some kind of fast help because , you know, it is difficult to deal with such a big company like Symantec
     
  11. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Re: Symantec faulse positive cause nightmare to China

    rapid definition release or not...the damage is done.
     
  12. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Re: Symantec faulse positive cause nightmare to China

    Of course it is, but at first user think that it was the virus infection, and nortion can't deal with it, and the people ask for help is so many that rising call system is heavy and hard to call in.
     
  13. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    Re: Symantec faulse positive cause nightmare to China

    But this case is a little bit different, because those two files are critical system files. I think files belonging to OS should have highest priority to take the QA test before definition could be released.

    FYI, netapi32.dll is a module that contains the Windows NET API used by applications to access a Microsoft network. And lsasrv.dll is an important security DLL which decrypts all local password hashing schemes on the computer.
     
    Last edited: May 18, 2007
  14. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Re: Symantec faulse positive cause nightmare to China

    Symantec has offically confirm this problem, and said if people not restart yet, it can use the 20070517.071 released at 14:30(ETC +8 ), I can't find any link on their website to appologize. I think user may take legal action to prosecute, this is not kind of thing specified in the end user agreement, it was an evidence of not taking proper action.
     
  15. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    Re: Symantec faulse positive cause nightmare to China

    http://www.cisrt.org/enblog/read.php?100
     
  16. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Re: Symantec faulse positive cause nightmare to China

    I found Rising has rise their alarm to red, this is the highest alarm this year.
    Fortunately our company is using Trend, but our vendor is not so lucky, I had to delay the serial number upload. Home user found their computer can't use any more in the beginning of the day.
     
  17. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Re: Symantec faulse positive cause nightmare to China

    Hi, folks: why would that ill-fated Symantec F.P. only render WinXp simplified Chinese version useless and not to all others? To the best of my knowledges, majority of PC users can buy their boxes naked(without any O/S preinstallted) from China's vendors(this may have changed recently due to pressure from Microsoft). Therefore, I would assume there is a good portion of winxp copies may not be so authentic, including some business identities. Let alone initiating a law suit with firm footing. Good luck to them.
     
  18. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: Symantec faulse positive cause nightmare to China

    This time it was Symantec , but all of the rest of the AV community have released bad definitions in the past, and they probably will in the future. That is just part of the business of having to pump of the protection definitions as fast as they do trying to keep up with the malware writters. Personally I am just glad there aren't more incidents like this one. But you can be assured that another av company will pump out a bad definition in the near future. This is not an isolated incident.
     
  19. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    Re: Symantec faulse positive cause nightmare to China

    I know it could happen to any venders. However, what makes this case so different is the consequence. After symantec/norton antivirus quaratines the FP, xp could not be loaded followed by a reboot. It's a nightmare for average joes. Anyway, I am not bashing symantec. I just hope security venders could implement their QA tests more carefully and comprehensively.
     
  20. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Re: Symantec faulse positive cause nightmare to China

    Please make comments like never using norton before, Of course this in an isolated indident. This kind of detect critical system file never happened before and will not happen on any company if he did a test whatever test.
     
  21. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Re: Symantec faulse positive cause nightmare to China

    To take legal action in China is not so easy like western countries, people usually show their anger and reinstall their system. Newly sold brand PC or notebook is nearly all preinstalled xp, is much cheaper now, but it still 10% of my income per month(used to be 50%). I think these big company know Chinese don't like the court, so they are so haughty.
     
  22. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: Symantec faulse positive cause nightmare to China


    Symantec is not the first to detect system files, I had Kaspersky delete several System files on my comp due to bad defs causing me to do a full reformat and restore. And yes I have used Norton for years and never had it do what it did in China.:(
     
  23. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Re: Symantec faulse positive cause nightmare to China

    Hi, folks: if this kind of misfortune is inevitable among all AV vendors, then I would take this vaccine sooner rather than later. After this incident, I firmly believe Symantec will certainly implement a double safety mechanism to safeguard their reputation. Symantec users may in fact have a very good chance enjoying trouble free days and years. But who is next ? Please take a number. ;)
     
  24. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Re: Symantec faulse positive cause nightmare to China

    You mean like McAfee? I hope this does not translate into a loss in detection rates....

    Anyway, yes this can happen for all the AVs, why, just recently (yesterday in fact :)) ArcaVir flagged a driver in my system32 folder as riskware. Luckily it didn't delete it, so I was able to send it for analysis :D

    I guess a problem for a company as big as Symantec is that they probably need to test the definition on a large number of products and sometimes also in different regional versions to check if there is incompatibility. Since Norton 360 only supports XP and Vista anyway I guess the researcher decided to test it on Vista and assumed it would work on XP. But hey, since I don't know anything this could very well be false.

    As such Symantec has been known to always check all their definitions for FPs, they have some of the lowest FP rates in the world. So, if this happens with Symantec today, there's every chance it could happen in a more severe form with another AV. :)
     
  25. coolbluewater

    coolbluewater Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    268
    Location:
    next door to Redmond
    Re: Symantec faulse positive cause nightmare to China

    Kinda makes you wonder if the person who released the definition file at Symantec had a bad lunch special that day :D
     
Loading...
Thread Status:
Not open for further replies.