Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 06/23/03
- Previous message: Jeff Moss: "Black Hat Briefings 2003 - Announcement"
- Next in thread: Russ: "Re: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems"
- Maybe reply: Russ: "Re: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems"
- Reply: Rob Rosenberger: "Re: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Jun 2003 12:16:45 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I got this message late Friday night (EDT). The writer requested
anonymity. I immediately forwarded a copy of it to Symantec for
confirmation. On Saturday Symantec indicated I could expect a response
on Monday. Given that this has happened before, and given the
possibility that your AV may be disabled, I've decided not to wait for a
response from Symantec.
I have confirmation from another source that as of Friday afternoon the
update was not causing any problems, so there was a small window
where-in you may have been affected. Read the note below thoroughly and
then check a few systems in your environment to see if their AV is
disabled.
If you find your AV disabled, drop me a note so I can get an idea of how
many were affected.
Cheers,
Russ - NTBugtraq Editor
---- Reporting this to you directly, I'd rather not have this posted to the mailing list with my identifying information. I have not yet seen this reported anywhere. We experienced a major failure in our Symantec Antivirus protection software today, caused by a faulty set of definition updates from Symantec. Specifically, the updates they released yesterday (rc:Thursday, June 19th) via their Intelligent Updater mechanism had a problem that caused all 8.0 clients to choke. Earlier versions of clients (7.5) were not affected. The problem was somewhere in the mechanism that performs "microdefinition updates". This is new for 8.0 corporate edition, and allows the systems to get definition updates with small incremental transfers (typically under 100K for each update), as opposed to 7.5 clients which have to get the full 4MB of data on every update. The problem was spotted today (rc:Friday, June 20th) when some users reported that their systems were complaining about the antivirus protection being disabled. What we quickly determined was that something was messed up by Thursday's daily update, and the antivirus service would not start on any system which had been rebooted since that update occurred. Symantec tech support said they were aware of the problem, and provided me with a way to fix affected systems: copy the full 4 MB .VDB file to those systems, and then restart the service or reboot the system if the service could not be restarted. Two major concerns over this incident: First, this problem effectively stomped on our entire desktop/server antivirus protection for file systems. Due to various mitigating factors (see below), our most serious exposure was limited to about 15% of our user desktops, and none of our servers, but the potential was there for near 100% failure of corporate antivirus filesystem protection. Second, Symantec has not issued any security alert for this issue, nor have they posted any information on their website, at least not in any location that I've been able to find so far. Mitigating factors: 1) Systems running 7.5 clients were not affected. Only 8.0 clients utilize the microdefinition updates, and they were the only ones affected. 2) When a system got the faulty updates, the service would continue running, performing realtime scans using the previous days definitions. It only stopped working when the system was rebooted. (Which many of our users do every night, hence the problem not showing up until this morning.) 3) This only affected those sites which use the Intelligent updater to get the daily updates. Those using LiveUpdate to get the weekly updates were not affected. 4) Furthermore, I suspect (but do not know) that this only affects those using the corporate edition of their software, which allows you to have a single server retrieving updates from Symantec, and then distributing those updates automatically to all other systems in your network. It was not a fun day for me today. :-/ ---- oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Jeff Moss: "Black Hat Briefings 2003 - Announcement"
- Next in thread: Russ: "Re: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems"
- Maybe reply: Russ: "Re: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems"
- Reply: Rob Rosenberger: "Re: Problem with Symantec Antivirus Corporate Edition 8.0: Faulty Definition updates disabled client systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
