Microsoft’s Latest Patch Hoses Some Antivirus Software | Threatpost

Microsoft’s April 9 security update is bogging down systems running antivirus software packages made by McAfee, Avast, ArcaBit, Avira and Sophos.

According to Microsoft, the company’s April Patch Tuesday security update is causing some systems to have slow startup times, sluggish performance or become completely unresponsive. For days now, Microsoft has been adding more antivirus titles to those impacted by the bug.

Those antivirus titles affected are: Sophos Endpoint and Sophos Enterprise Console, Avira antivirus software, ArcaBit antivirus software, Avast and McAfee Security Threat Prevention 10.x & McAfee Host Intrusion Prevention 8.0.

McAfee is the latest antivirus vendor to issue a warning to its customers. On Thursday it said Microsoft’s security update is causing affected systems to boot up slowly and run slowly.

“McAfee is investigating this issue and will resolve it in a future update,” McAfee wrote.

Earlier this week, Sophos sent a note to customers explaining, “After installing certain Microsoft Windows updates… Sophos has received reports of computers failing to boot. Sophos is actively investigating this issue and will update this article when more information is available.”

Sophos notes those running Sophos Intercept X are not affected by this issue.

It’s unclear what the root cause of the issue is. Microsoft describes symptoms tied a bug introduced with the April security update impacting the Kerberos implementation in several versions of Windows. Kerberos is a key authentication protocol that’s used in a huge number of open-source and commercial products.

Microsoft is offering a technical workaround with options such as purging the Kerberos tickets on affected systems, restarting the Internet Information Services app pool and use “constrained delegation”.

“Microsoft is working on a resolution and will provide an update in an upcoming release,” according to Microsoft’s support page for the issue.

According to McAfee and Avast, both suggest the problem are tied to a change Microsoft made to the Windows Client-Server Runtime Subsystem (csrss.exe). The CSRSS is a vital part of Windows, responsible for the user mode side of Win32 subsystem driving console windows and the shutdown process, according to a description.

“Changes in the Windows April 2019 update for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS,” McAfee wrote.