Microsoft’s Latest Patch Hoses Some Antivirus Software

McAfee, Sophos and Avast are among the antivirus software suites impacted.

Microsoft’s April 9 security update is bogging down systems running antivirus software packages made by McAfee, Avast, ArcaBit, Avira and Sophos.

According to Microsoft, the company’s April Patch Tuesday security update is causing some systems to have slow startup times, sluggish performance or become completely unresponsive. For days now, Microsoft has been adding more antivirus titles to those impacted by the issue.

Those antivirus titles affected are: Sophos Endpoint and Sophos Enterprise Console, Avira antivirus software, ArcaBit antivirus software, Avast and McAfee Security Threat Prevention 10.x and McAfee Host Intrusion Prevention 8.0.

McAfee is the latest antivirus vendor to issue a warning to its customers. On Thursday it said Microsoft’s security update is causing affected systems to boot up slowly and run slowly.

“McAfee is investigating this issue and will resolve it in a future update,” McAfee wrote.

Earlier this week, Sophos sent a note to customers explaining, “After installing certain Microsoft Windows updates… Sophos has received reports of computers failing to boot. Sophos is actively investigating this issue and will update this article when more information is available.”

Sophos notes those running Sophos Intercept X are not affected.

It’s unclear what the root cause of the issue is. Microsoft describes symptoms tied the April security update and the Kerberos implementation in several versions of Windows. Kerberos is a key authentication protocol that’s used in a huge number of open-source and commercial products.

“After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails,” Microsoft wrote.

Microsoft is offering a technical workaround with options such as purging the Kerberos tickets on affected systems, restarting the Internet Information Services app pool and use “constrained delegation”.

“Microsoft is working on a resolution and will provide an update in an upcoming release,” according to Microsoft.

McAfee and Avast, both suggest the problem are tied to a change Microsoft made to the Windows Client-Server Runtime Subsystem (csrss.exe). The CSRSS is a vital part of Windows, responsible for the user mode side of Win32 subsystem driving console windows and the shutdown process, according to a description.

“Changes in the Windows April 2019 update for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS,” McAfee wrote.

Avast reports customers running Avast for Business, Avast CloudCare, and AVG Business Edition on Windows machines, particularly those with Windows 7 operating systems are impacted by the issue. The company is offering customers a fix via “micro-updates” that “should resolve the issue and restore functionality.”

Suggested articles


  • Harry the D. on

    I run Win 10 Pro on all my devices specifically so I can configure them to delay updating until the 3rd Tuesday of the month. So far my system seems to be working.
  • Alex Mason on

    What do you want, a Twinkie?

Leave A Reply to Harry the D. Cancel Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.