Wednesday, May 28, 2008

Symantec Admits Fault in Windows XP SP3 Registry Corruption

You'll recall my earlier story on registry corruption for certain users upgrading to Windows XP SP3. The cases of registry corruption seemed to have a common thread: Symantec security products. Originally Symantec blamed Microsoft, but in a post on a Symantec support forum, a senior manager with Symantec indicated the fault may indeed lie with Symantec's products.

Reese Anschultz said users of Norton Internet Security, Norton AntiVirus and Norton 360 should switch off the "SymProtect" feature before trying to install XP SP3.
After a lot of testing, we’ve reproduced a number of different cases where applying the XP SP3 upgrade adds additional registry keys within already existing Symantec registry keys. The Symantec keys affected vary from machine to machine and the effects of these added keys vary as well. We are still trying to understand why the upgrade is adding these keys. We have determined that the SymProtect feature is involved, though this issue is not exclusive to Symantec customers. We’ve seen reports from various users who are not running Symantec products.

To help prevent this issue from occurring, you should disable SymProtect prior to installing the Windows XP SP3 upgrade. This setting, in Norton Internet Security 2008 and Norton AntiVirus 2008, can be found within the Options page as “Turn on protection for Norton products.” In this case you should uncheck the box prior to the upgrade. After the upgrade is complete, please remember to re-enable this feature.

It should be noted, however, that this workaround only addresses issues with Symantec products. You may still run into similar problems with other products affected by this XP SP3 upgrade issue. For Norton SystemWorks 2008 you have to go to the Advanced Options UI that is under Settings. Next, click on "Norton SystemWorks Options" and select the General tab. Lastly, uncheck the box that says, "Turn on protection for my Symantec product”.

For Norton SystemWorks 2008 Premier you can use either the previous instructions or the Norton AntiVirus instructions.

For Norton 360, disable the "SymProtect Tamper Protection" quick control within the settings page.

For those who have already applied the upgrade and are running into problems, we’re working on a stand-alone tool that would delete the extraneous registry keys. We’ll post that on this forum as soon as it’s available.
No post of a tool yet. Additionally, a later post on the same thread seemed to indicate a similar issue with the installation of Vista SP1, although that same Symantec manager noted they hadn't noted such reports previously.

Last week, Symantec blamed a Microsoft file named fixccs.exe, part of the XP SP3 upgrade package, for the extra registry entries. Now, however, it seems that it was a combination of fixccs.exe and SymProtect which caused the issue. SymProtect is technology designed to protect Symantec security software from being hacked by malware.

"Fixccs.exe adds registry keys during the SP3 update process and then attempts to delete them," said a Symantec spokeswoman. "SymProtect prevents changes to the registry keys. Thus, it prevents the deletion of the keys added by fixccs.exe."

Makes sense, right? Of course, as noted in the forum post, Symantec continues to contend that the registry problems are not exclusive to Symantec products.


No comments: