Starting last Wednesday evening, many Windows XP computers running Symantec Endpoint Protection 12.1 experienced a Blue Screen of Death when Symantec updated to its latest definitions. The BSoD will show 0x000000CB upon updating to July 11, 2012 rev. 11 definitions. The problem is said to result from running a combination of Symantec’s SONAR product, Windows XP, and third-party software. That third-party software includes a variety of whole disk encryption tools like Microsoft’s BitLocker, PGP WDE, WinMagic SecureDoc, and others.
The issue first cropped up in the Symantec forums where more information was gathered and Symantec was able to reproduce the problem. They also explained the quality assurance steps taken to review signature updates. Following the detection and investigation, the SONAR signatures were found to be at fault and rolled back to a previous version.
Based on our analysis, the problem is isolated to Windows XP machines running:
- Symantec Endpoint Protection Small Business Edition (SEP SBE) 12.1
- Symantec Endpoint Protection (SEP) 12.1
- Symantec Endpoint Protection.cloud (SEP.cloud).
- Norton 2010, 2011, or 2012 consumer security product
- Norton 360 versions 4, 5 6
Symantec has acknowledged and summarized the issue in a blog post. They have also provided a KB article that includes a solution for affected customers.
Symantec has posted updated signatures which resolve the issue to the public LiveUpdate production servers. To work around the issue please follow these steps on the impacted machines.
For Enterprise customers, make sure you have updated to the latest virus definitions on the Symantec Endpoint Protection Manager(SEPM)
- Open the Symantec Endpoint Protection Manager
- Login
- Select “Admin“
- Select “Local site“
- Select “Download LiveUpdate content“
On affected client machines running Symantec Endpoint Protection 12.1
- Start computer in safe mode (do not use safe mode with networking)
- Navigate to the Symantec Endpoint Protection definition directory: C:Documents and SettingsAll UsersApplication DataSymantecSymantec Endpoint ProtectionCurrentVersionDataDefinitionsBASHDefs
- Delete the latest content directory (should be 20120711.011)
- Reboot
Note: If the client is pulling down content from LiveUpdate or LiveUpdate Administrator, please run LiveUpdate. If the client is pulling down content from the SEPM, the content will be automatically downloaded without any interaction. Until the content is delivered, the client UI may show with a warning due to missing content.
When the system has been updated properly in the client user interface for Proactive Threat Protection the definition versions will be Wednesday, July 11, 2012 r12
The problem has been confirmed to be Windows XP-only (though that may include Server 2003). If you are seeing issues with Symantec on Windows 7, your issue is likely unrelated, according to Symantec.