Microsoft Anti-Spyware Deleting Norton Anti-Virus

Microsoft's Anti-Spyware program is causing troubles for people who also use Symantec's Norton Anti-Virus software; apparently, a recent update to Microsoft's anti-spyware application flags Norton as a password-stealing program and prompts users to remove it.

According to several different support threads over at Microsoft's user groups forum, the latest definitions file from Microsoft "(version 5805, 5807) detects Symantec Antivirus files as PWS.Bancos.A (Password Stealer)."

When Microsoft Anti-Spyware users remove the flagged Norton file as prompted, Symantec's product gets corrupted and no longer protects the user's machine. The Norton user then has to go through the Windows registry and delete multiple entries (registry editing is always a dicey affair that can quickly hose a system if the user doesn't know what he or she is doing) so that the program can be completely removed and re-installed.

I put in calls to Microsoft and to Symantec on this issue, but am still waiting to hear back from both companies.

Microsoft said it is shipping updates that fix this problem, but judging from the growing number of other threads on this in that forum, this is shaping up to be a pretty big issue for companies that have deployed Microsoft's free anti-spyware product inside their networks. It's a good idea to keep in mind that Microsoft's Anti-Spyware product is in beta mode: The company's product page explicitly says that Microsoft Anti-Spyware should not be deployed in production systems. I'm not apologizing for Redmond in any way; it just seems like too many people ignore warnings about beta products.

Update: 10:58 p.m. ET: I heard from Microsoft, and they say the problem is limited to customers running Symantec Antivirus (SAV) Corporate Edition versions 7, 8, 9 or 10 or Symantec Client Security (SCS) versions 1, 2 or 3 in combination with Windows AntiSpyware Beta 1. "The beta software will prompt and allow the user to remove a registry key containing subkeys belonging to these Symantec products. The deletion of these registry keys will cause all versions of the SAV and SCS software to stop operating correctly. No files are removed in this situation, only registry keys."

The rest of the statement Microsoft sent me says: "Once this issue was discovered, Microsoft quickly released a new signature set (5807) to remove this false positive. Both companies are working jointly together to identify the number of affected customers, which we believe to be very limited. Microsoft and Symantec are working jointly on a solution to restore normal operation of the Symantec software. Until this solution is available, customers can utilize System Restore in Windows XP to restore to an earlier point prior to the removal of the registry keys, or reinstall their client software."

By Brian Krebs