Microsoft’s recent security update affecting anti-malware software from Sophos, Avira, Avast, McAfee
Microsoft’s recently released April 9 monthly rollup update is causing compatibility issues with anti-malware software from Sophos, Avira, ArcaBit, Avast, and McAfee.
The antivirus titles that are affected are Sophos Endpoint and Sophos Enterprise Console, Avira antivirus software, ArcaBit antivirus software, Avast and McAfee Security Threat Prevention 10.x & McAfee Host Intrusion Prevention 8.0. The update (KB4493472) is affecting PCs running Windows 7, 8.1, Server 2008 R2, Server 2012, Server 2012 R2, and also likely Windows 10.
After the April 9 security update, the systems running the aforementioned antivirus software are either failing to start or having sluggish performances or become completely unresponsive at the restart.
According to Microsoft, the issue could be likely due to a bug introduced with the April security update that impacted the Kerberos implementation in several versions of Windows.
For those unaware, Kerberos is a computer network authentication protocol used in a huge number of open-source and commercial products. It works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Microsoft has currently added a block to this update for Sophos, Avira, and ArcaBit users that will stop it from being installed on PCs with affected antivirus software. McAfee is still under investigation.
“Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update,” Microsoft explains in its support page.
Several vendors have issued warning to its customers regarding the bug in the monthly roll-up update.
“After installing certain Microsoft Windows updates… Sophos has received reports of computers failing to boot. Sophos is actively investigating this issue and will update this article when more information is available,” Sophos said in a note that it sent to its customers earlier this week. However, system running Sophos Intercept X are not affected by the issue, Sophos notes.
McAfee suggested that the problem could be due to a change that Microsoft made to the Windows Client-Server Runtime Subsystem (csrss.exe).
“Changes in the Windows April 2019 update for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS. McAfee is investigating this issue and will resolve it in a future update. A Proof of Concept (POC) build to test a fix is currently available. Escalate a Service Request to Technical Support to obtain the POC,” McAfee wrote. “McAfee is investigating this issue and will resolve it in a future update.”