See http://www.symantec.com/business/support/index?page=content&id=TECH192811 for further details on this issue.
After a full evaluation and root cause analysis of the issue, we have determined that the issue was limited to machines running a combination of Windows XP, the latest version of the SONAR technology, the July 11th rev11 SONAR signature set, and certain third party software. Only customers running this combination of technologies and who downloaded the July 11th rev11 SONAR signature set via LiveUpdate between 6:25PM PT and 2:51AM PT on July 12th were affected.
The root cause of the issue was an incompatibility due to a three way interaction between some third party software that implements a file system driver using kernel stack based file objects – typical of encryption drivers, the SONAR signature and the Windows XP Cache manager. The SONAR signature update caused new file operations that create the conflict and led to the system crash.
Symantec understands the consequences of this type of issue to our customers and goes to great length to prevent them. The quality assurance process for SONAR signatures is extensive. The process includes:
- Peer review and vetting of all signatures
- True positive testing
- False positive testing
- Functional testing of all signature content
- Compatibility testing
The compatibility testing part of the quality assurance process for SONAR signatures missed catching this compatibility issue. It is this part of our process that we will be improving to avoid future issues. We are currently restructuring our testing process to improve compatibility testing and will not be releasing new SONAR signatures until this new process is in place.
Regards
Orla Cox
Symantec Security Response
On July 11th, 2012 Symantec Security Response started receiving reports of customers experiencing blue screens after applying the July 11th revision 18 definitions. Machines may continue to blue screen after they reboot.This problem only appears to occur on Windows XP machines. The root cause of the problem is unknown at this time.
Security Response is treating this issue with the utmost priority and is actively seeking a solution. Further information will be provided as soon as it becomes available.
Orla Cox
Symantec Security Response