Microsoft’s Latest Patch Hoses Some Antivirus Software

McAfee, Sophos and Avast are among the antivirus software suites impacted.

Microsoft’s April 9 security update is bogging down systems running antivirus software packages made by McAfee, Avast, ArcaBit, Avira and Sophos.

According to Microsoft, the company’s April Patch Tuesday security update is causing some systems to have slow startup times, sluggish performance or become completely unresponsive. For days now, Microsoft has been adding more antivirus titles to those impacted by the issue.

Those antivirus titles affected are: Sophos Endpoint and Sophos Enterprise Console, Avira antivirus software, ArcaBit antivirus software, Avast and McAfee Security Threat Prevention 10.x and McAfee Host Intrusion Prevention 8.0.

McAfee is the latest antivirus vendor to issue a warning to its customers. On Thursday it said Microsoft’s security update is causing affected systems to boot up slowly and run slowly.

“McAfee is investigating this issue and will resolve it in a future update,” McAfee wrote.

Earlier this week, Sophos sent a note to customers explaining, “After installing certain Microsoft Windows updates… Sophos has received reports of computers failing to boot. Sophos is actively investigating this issue and will update this article when more information is available.”

Sophos notes those running Sophos Intercept X are not affected.

It’s unclear what the root cause of the issue is. Microsoft describes symptoms tied the April security update and the Kerberos implementation in several versions of Windows. Kerberos is a key authentication protocol that’s used in a huge number of open-source and commercial products.

“After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails,” Microsoft wrote.

Microsoft is offering a technical workaround with options such as purging the Kerberos tickets on affected systems, restarting the Internet Information Services app pool and use “constrained delegation”.

“Microsoft is working on a resolution and will provide an update in an upcoming release,” according to Microsoft.

McAfee and Avast, both suggest the problem are tied to a change Microsoft made to the Windows Client-Server Runtime Subsystem (csrss.exe). The CSRSS is a vital part of Windows, responsible for the user mode side of Win32 subsystem driving console windows and the shutdown process, according to a description.

“Changes in the Windows April 2019 update for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS,” McAfee wrote.

Avast reports customers running Avast for Business, Avast CloudCare, and AVG Business Edition on Windows machines, particularly those with Windows 7 operating systems are impacted by the issue. The company is offering customers a fix via “micro-updates” that “should resolve the issue and restore functionality.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.