On Friday at around 8:40 p.m. EDT, Symantec Corporation sent an e-mail with the subject "DeepSight Increased ThreatCon from 1 to 4 Alert" to enterprise customers of Symantec"s DeepSight advanced alert system. ThreatCon uses a 1-through-4 scoring system and according to the company"s own definition, Level 4 is reserved for those times when "extreme global network incident activity is in progress. Implementation of measures in this Threat Condition for more than a short period probably will create hardship and affect the normal operations of network infrastructure."
Symantec has never set ThreatCon to Level 4 and even a Level 3 is rare. In the body of the e-mailed alert, however, careful readers found the words: "Summary: threatcon test threatkhanh otrs" buried among several links. The alert was a false alarm, Symantec said just over an hour later in a follow-up message at 9:45 p.m. EDT. "The DeepSight Threat Management System is NOT at ThreatCon 4. At 18:40 MST on September 21, 2007 an erroneous ThreatCon 4 update was issued through DeepSight TMS due to product testing. This ThreatCon 4 update should be disregarded."