N.D. Cal.: Symantec Has Knowledge That Norton Software Unpacked Files to Operating System Core
On Friday, Judge Edward Chen issued a decision in Beyer v. Symantec, Corp., 18-cv-02006-EMC, 2018 U.S. Dist. LEXIS 162166 (N.D. Cal. Sept. 21, 2018) granting in part and denying in part the Defendant’s Motion to Dismiss. The Plaintiff alleged that Symantec’s Norton security software had critical defects. Google’s Project Zero found vulnerabilities in the antivirus software. The AntiVirus Decomposer Engine unpacked executable files to the operating system's core, which has unrestricted access to the computer's files. The Symantec software failed to practice 'sandboxing' which involves opening files in an isolated, secure area.
The Court denied the Defendant's Motion to Dismiss for lack of standing to bring class actions for purchasers of Enterprise products (marketed to businesses). While Beyer only used the Norton products marketed to consumers, Judge Chen concluded that, "[t]he ability to centrally manage security data does not gainsay the fundamental defect in the way the Symantec products were designed. The same alleged defects exist in both lines of products." Id. at *8.
The Court denied a motion to dismiss the fraud claims because Symantec was found to have known how its Norton 360 Premier worked. Despite the fact that the software was purchased in 2009, and Project Zero revealed its defects in 2016, Judge Chen found that, "the complaint sufficiently alleges knowledge, because it alleges that Symantec designed and produced the software in question. It plausibly follows from this fact that Symantec knew how the Second Software functioned,including that the software unpacked potentially malicious files in a high-privilege environment. It also plausibly follows that Symantec knew it had used third party code and knew it did not patch that code when updates were released by the third parties." Id. at 29.
The Court also declined to dismiss an unfairness claim made under the California Unfair Competition Law and a claim for unjust enrichment. Judge Chen did dismiss claims made with respect to Norton software purchased from Best Buy, because claims about the software's capabilities were not attributable to Symantec.