Microsoft's latest patch causing issues with antivirus programs
Microsoft's April 9 security update is slowing down systems running antivirus software made by McAfee, Avast, ArcaBit, Avira and Sophos. According to Microsoft, the April Patch Tuesday security update is causing some systems to have slow startup times, sluggish performance or become completely unresponsive. Microsoft has been adding more antivirus titles to those affected by the issue. So far, Sophos Endpoint and Sophos Enterprise Console, Avira antivirus software, ArcaBit antivirus software, Avast and McAfee Security Threat Prevention 10.x and McAfee Host Intrusion Prevention 8.0 are listed as affected.
McAfee is the latest antivirus company to issue a warning to its customers. On Thursday Mcafee stated that Microsoft's update is causing systems to boot up slowly and run slowly. Mcafee wrote that it is investigating this issue and is working on resolving this issue. Earlier this week, Sophos notified it's customers that “After installing certain Microsoft Windows updates, Sophos has received reports of computers failing to boot. Sophos is actively investigating this issue and will update this article when more information is available.” Sophos states that those running Sophos Intercept X are not affected.
It's unclear what the cause of the issue is. Microsoft describes symptoms tied to the April security update and the Kerberos implementation in several versions of Windows. Kerberos is a key authentication protocol that's used in a huge number of open-source and commercial products. According to Microsoft, "After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires. For example, the SQL server service fails.” Microsoft has a technical workaround with options such as purging the Kerberos tickets on affected systems, restarting the Internet Information Services app pool and using constrained delegation.
McAfee and Avast, both suggest that the problems are tied to a change Microsoft made to the Windows Client Server Runtime Subsystem. The CSRSS is a vital part of Windows, responsible for the user mode side of Win32 subsystem driving console windows and the shutdown process, according to a description. Changes in the Windows April 2019 update for Client Server Runtime Subsystem ( CSRSS ) introduced a potential deadlock with ENS according to Mcafee.
Microsoft is working on a resolution and will release it in an upcoming patch. Avast stated that customers running Avast for Business, Avast CloudCare, and AVG Business Edition on Windows machines, especially those with Windows 7 operating systems are impacted by the issue. The company is offering customers an update that “should resolve the issue and restore functionality.