[email protected] +603-2181 3666
Recent Windows Patch Causing Issues With Third Party AntiVirus Software
April 22, 2019

On April 9, Windows released its latest update which seems to be causing some problems with anti malware software. As of time of publication the brands affected by the patch are Sophos, Avira, ArcaBit, Avast, and most recently McAfee.

Windows April 9th Patch Tuesday


Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 grinds to a halt once log in is attempted. It is not yet determined if the system is freezing altogether or or it is just agonisingly slow. Some users have reported that they can log in, but the process takes ten or more hours.

In light of this Microsoft is currently blocking the update for Sophos, Avira, and ArcaBit users, with McAfee still under investigation. ArcaBit and Avast respectively have published updates that address the problem.

Booting into safe mode is not affected and current advice is to disable the antivirus application and allow machines to boot normally. Sophos additionally recommends adding adding antivirus software’s own directory into the list of excluded locations serves as a quick fix. Meanwhile Avast recommends leaving systems at the login screen for about 15 minutes and then rebooting; the antivirus software should then update itself automatically in the background.

So far Avast and McAfee also provide a hint at the root cause: it appears that Microsoft has made a change to CSRSS ("client/server runtime subsystem"), a core component of Windows that coordinates and manages Win32 applications. This is reportedly making the antivirus software deadlock. The antivirus applications are trying to get access to some resource, but they're blocked from doing so because they have already taken exclusive access to the resource.

Given that patches have appeared from antivirus vendors rather than an update from Microsoft, it suggests (though does not guarantee) that whatever change Microsoft made to CSRSS is revealing latent bugs in the antivirus software. On the other hand, it's possible that CSRSS is now doing something that Microsoft previously promised wouldn't happen.


Source: Arstechnica.com, Borncity.com, Theinquirer.net