Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 06/23/03

  • Next message: Russ: "Re: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems"
    Date:         Mon, 23 Jun 2003 12:16:45 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    I got this message late Friday night (EDT). The writer requested
    anonymity. I immediately forwarded a copy of it to Symantec for
    confirmation. On Saturday Symantec indicated I could expect a response
    on Monday. Given that this has happened before, and given the
    possibility that your AV may be disabled, I've decided not to wait for a
    response from Symantec.

    I have confirmation from another source that as of Friday afternoon the
    update was not causing any problems, so there was a small window
    where-in you may have been affected. Read the note below thoroughly and
    then check a few systems in your environment to see if their AV is
    disabled.

    If you find your AV disabled, drop me a note so I can get an idea of how
    many were affected.

    Cheers,
    Russ - NTBugtraq Editor

    ----
    Reporting this to you directly, I'd rather not have this posted to the
    mailing list with my identifying information.  I have not yet seen this
    reported anywhere.
    We experienced a major failure in our Symantec Antivirus protection
    software today, caused by a faulty set of definition updates from
    Symantec. Specifically, the updates they released yesterday
    (rc:Thursday, June 19th) via their Intelligent Updater mechanism had a
    problem that caused all 8.0 clients to choke. Earlier versions of
    clients (7.5) were not affected.  The problem was somewhere in the
    mechanism that performs "microdefinition updates".  This is new for 8.0
    corporate edition, and allows the systems to get definition updates with
    small incremental transfers (typically under 100K for each update), as
    opposed to 7.5 clients which have to get the full 4MB of data on every
    update.
    The problem was spotted today (rc:Friday, June 20th) when some users
    reported that their systems were complaining about the antivirus
    protection being disabled.  What we quickly determined was that
    something was messed up by Thursday's daily update, and the antivirus
    service would not start on any system which had been rebooted since that
    update occurred.
    Symantec tech support said they were aware of the problem, and provided
    me with a way to fix affected systems:  copy the full 4 MB .VDB file to
    those systems, and then restart the service or reboot the system if the
    service could not be restarted.
    Two major concerns over this incident:  First, this problem effectively
    stomped on our entire desktop/server antivirus protection for file
    systems. Due to various mitigating factors (see below), our most serious
    exposure was limited to about 15% of our user desktops, and none of our
    servers, but the potential was there for near 100% failure of corporate
    antivirus filesystem protection.  Second, Symantec has not issued any
    security alert for this issue, nor have they posted any information on
    their website, at least not in any location that I've been able to find
    so far.
    Mitigating factors:
    1)  Systems running 7.5 clients were not affected.  Only 8.0 clients
    utilize the microdefinition updates, and they were the only ones
    affected.
    2)  When a system got the faulty updates, the service would continue
    running, performing realtime scans using the previous days definitions.
    It only stopped working when the system was rebooted.  (Which many of
    our users do every night, hence the problem not showing up until this
    morning.)
    3)  This only affected those sites which use the Intelligent updater to
    get the daily updates.  Those using LiveUpdate to get the weekly updates
    were not affected.
    4)  Furthermore, I suspect (but do not know) that this only affects
    those using the corporate edition of their software, which allows you to
    have a single server retrieving updates from Symantec, and then
    distributing those updates automatically to all other systems in your
    network.
    It was not a fun day for me today.  :-/
    ----
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    

  • Next message: Russ: "Re: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems"

    Relevant Pages