Where we stand with the April 2019 patches

Topic

New Reply

With the six dirty Windows patches knocking out five different companies’ antivirus packages, things have been a bit rocky. There’s an update, but it’
[See the full post at: Where we stand with the April 2019 patches]

3 users thanked author for this post.

Elly, fernlady, abbodi86

Reply | Quote

Replies

So what happens if they don’t fix them by the time May’s comes around?

Reply | Quote

From what I’ve been reading, Microsoft isn’t going to do a thing…it’s all on the affected A/V vendors to fix things, and they’ve been cranking out patches and, in one vendor’s case, “micropatches” (their wording, not mine).

I would expect that, by the time the May patches roll out on May 14th, most if not all of the affected vendors will have released patches that should automatically be downloaded and installed by their affected products.

2 users thanked author for this post.

RockJohny, woody

Reply | Quote

Generally correct – but there’s at least one weird nuance. Details in the article.

Reply | Quote

April patches installed OK on my 1803 machines with Quality deferrals set to 14 days, and my work laptop on 1809 as well.
All systems are using Defender with no other 3rd party AV products.

Reply | Quote

Is Bitdefender (free) affected by this patch? Thanks for your great site!

Reply | Quote

I have BitDefender Free on Win7, 8.1 and 10 – no problem on any of them.

Reply | Quote

I’m on 1803 and haven’t been offered 1809 at all. I was just wondering if maybe it’s due to the fact that I’ve been blocking KB4023057 and all the chip set updates, the latest being KB4346084 just yesterday. Any thoughts on the possibilities of this being the reason and maybe just waiting on 1903 or somehow trying to get 1809 to install ?

Reply | Quote

The best advice is – wait till 1809 comes to you. Don’t go seeking.
You may not have it for a reason.

1 user thanked author for this post.

woody

Reply | Quote

That’s kinda what I was thinking also, unless it holds off for so long that 1903 try’s to sneak its way in before then. Have there been any negative reports that you’ve heard of about skipping a version ?

Reply | Quote

Skipping a version is the User’s choice. You can even wait until what you’re running is EOL. We just had one User upgrade from 1607 to 1809.
You just don’t want to jump into a just-released version too soon, before it’s vetted by the mass of Guinea Pigs.

1 user thanked author for this post.

bobcat5536

Reply | Quote

On my Windows 7 laptop I use Microsoft Security Essentials along with an older version of Malwarebytes (didn’t update when all the problems arose with that awhile back).  I haven’t read anything about these 2 being affected – or did I miss something about either of these?

Reply | Quote

They’re both in the clear.

Microsoft has a leg up with Defender….

3 users thanked author for this post.

dgreen, pkoryn, AJNorth

Reply | Quote

Every month when it’s update time, I turn off my update blocker and reboot. Problem is, Windows never checks for updates unless I use the “seeker” tab. How do I get Windows to check for updates without selecting the check for updates tab?

Reply | Quote

What update blocker are you using?
What changes does it make to your system to do the blocking?
Is there a button in the blocker to search for updates?

Have you tried: turning off Metered connectins, rebooting the computer, then waiting a day or tow?

Reply | Quote

I use Windows Update Blocker that disables the windows update service and makes it read only so M$ can’t turn it back on. Just before rebooting, I disable the blocker and check to make sure the service is running. I leave my metered setting on just in case the next feature update shows up. If I disable the blocker and remove metered, it usually checks right away.

Reply | Quote

Use wushowhide  to HIDE the updates you don’t want after you turn on WUB. The Windows Update Service has to be running to use wushowhide.

Doesn’t WUB have the ability to selectively block updates?

Reply | Quote

I use wushowhide, but it has in the past, started to download updates as soon as I enable the service. WUB is a simple disable WU Service only with no extras other that the read only attribute. It checks asap when you don’t want it to and when you do want it it won’t. Go figure.Windows 10 is a screwy non predictable animal.     Thanks PK for the input..much appreciated.

Reply | Quote

According to Bleeping Computer, both McAfee and Avast attribute the problem to a CSRSS security update. Specifics are at the following link.

https://www.bleepingcomputer.com/news/software/windows-security-update-caused-recent-antivirus-conflicts-and-freezes/

1 user thanked author for this post.

woody

Reply | Quote

In WUB v1.2 you can add services/program updates to be blocked (I think 25 is limit)
As a stand alone, it blocks Windows from updating.Period.
Not a bad product for free from sordum.org.

https://www.sordum.org/9470/windows-update-blocker-v1-2/

Reply | Quote

If you add any service other than the basic update service, it will not allow you to turn them back on, even using the enable services setting in the software. If you go to services and try to enable them from there, it won’t let you. Others have stated such in their forum, therefore I don’t ever add any other services. When I tried to add others, I ended up restoring an image to make things right again.

Reply | Quote

For those who are interested, this is what Avast/AVG has to say:

“Avast has received reports of an issue affecting our customers running Avast for Business, Avast CloudCare, and AVG Business Edition on Windows machines, particularly those with Windows 7 operating systems. We have developed micro-updates that should resolve the issue and restore functionality to our users.”

So it appears that only the Avast and AVG Business Editions are affected.  At least that’s what I’m assuming and hoping after reading the above.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

2 users thanked author for this post.

phaolo, jburk07

Reply | Quote

That’s correct. The three affected Avast products are:

• Avast for Business
• Avast CloudCare
• AVG Business Edition

They’re not likely to be on an individual’s machine. But companies – even small companies – use them all the time.

1 user thanked author for this post.

jburk07

Reply | Quote

Based on what I am reading, it seems that Windows 7 update problems are only if you are running one of the affected AV programs, and Windows 10 problems seem to be with ver 1809.

So is it maybe time to change the Defcon for Windows 7 NOT running  the affected AV programs, and Windows 10 version 1803 and earlier?

One of Woody’s stated goals with the new format was to move Defcon ratings by Operating System version anyway.  Maybe starting now.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

1 user thanked author for this post.

AJNorth

Reply | Quote

DEFCON has not changed.
At the moment, the priority is absorbing WSL and then getting it settled in.
Somewhere down the road, but not now.

2 users thanked author for this post.

SueW, jburk07

Reply | Quote

Tex265 wrote:

One of Woody’s stated goals with the new format was to move Defcon ratings by Operating System version anyway.  Maybe starting now.

Would that it were so simple.

We’ll have to redesign the site – and I have to redesign my thinking. It’s remarkably difficult to keep things straightforward and unambiguous for Windows customers at all levels.

5 users thanked author for this post.

SueW, jburk07, Pim, AJNorth, Elly

Reply | Quote

FYI for those who follow Susan’s Master Patch List, it looks like she has given the Okay for the updates for Windows 10 and Windows 7 – except for those with the affected A/V’s.  Check out her listing at the top of the page.

As cautioned in the past, those at home on their own may best be served by waiting for Woody to change the Defcon rating.

 

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Folks (plural because I’ve seen this in more than one thread), there is no Goon Squad. AskWoody advice is exactly that, advice. When you have consulted the information important to you and then decide you want to update, Go For It. You will not void any warranty or agreement by doing so. André the Giant will not break down your door by gently knocking. The only negative outcome possible will be from within your own computer that faithfully executes the commands you gave it.

I only request that as you hold the AskWoody community in high regard, please post your results. Give a brief description of hardware and operational status prior to the attempt. Then a summary result, either good or bad. Doing this may have an effect on Woody’s evaluation of his MS-DEFCON rating. It would certainly have a greater effect than just asking, repeatedly, “are you sure?”

6 users thanked author for this post.

SueW, Bill C., jburk07, Mele20, Elly, woody

Reply | Quote

anonyomous wrote:

It would certainly have a greater effect than just asking, repeatedly, “are you sure?”

Granted we each have a decision to make even with a Defcon rating go-ahead. Many however do rely on this site for information from other posters, the MVP’s, and referenced sources to provide information on which to base an educated decision as respects their particular Operating System and version.

While there are at times folks who ask a similar question repeatedly, there is a difference in asking “are you sure?” on an already identified/confirmed issue verses “does the issue(s) affecting one Windows version/configuration affect the others?” There have been many times that a major issue affecting only one Windows version holds up all the others, but still we would like some commentary regarding the other versions to make a decision.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Are no Kaspersky products impacted by April? Inquiring minds… Trust Kaspersky far more than MS with security and support personally. Time for Group W?

Win 7 Pro x64, Group B.

Reply | Quote

The only ones we’ve heard about are Avast. AVG, Avira, McAfee, and Sophos. The MS pages for the individual updates list which ones have issues. with each patch.

1 user thanked author for this post.

woody

Reply | Quote

And now, also Arcabit which is a Polish AV product.

Reply | Quote

PKCano wrote:

Skipping a version is the User’s choice. You can even wait until what you’re running is EOL. 

I waited until April 7 to upgrade from 1709. I did it through Windows Updates and expected to get 1809 but got 1803 instead.

Reply | Quote

There’s a reason why you weren’t moved to 1809.

Best advice: Don’t try to fool Mother Nature. Stick with what you have. And delay 1903 for at least a few months. (I’ll have full details for delaying techniques in Computerworld.)

Reply | Quote

I have Sophos Home Premium on 3 of my systems, two with Win7 x64 and the other one Win10 x64 v1809. Sophos does not mention their home product being affected, only business products. Microsoft however does withhold the April Win7 cumulative update on my Win7 systems with Sophos installed. I can see that there is a Sophos Endpoint service running, therefore I assume that is how MS determines not to offer the April cumulative update. Once MS-DEFCON moves to a safe level and if MS then still does not offer the April cumulative update I will try to install it manually from the catalog and see what happens.

Reply | Quote

Even though all the news is about a handful of 3rd party antivirus issues, I thought I’d provide a data point for a machine running MS Security Essentials with no 3rd party AV software.

Win 7 Starter (32 bit) Group B, up to date through March, including the service stack update, KB4490628, and the SHA-2 update, KB4474419. This is my test machine.

IE11 patch, KB4493435 installed normally, no issues.

Security only patch, KB4493448, installed normally with one exception: on the restart, after a message stating I was at 30% configured, I got a message saying shutting down. It did and then proceeded to 100% configured. Up to this point all is normal, but then, instead of continuing to a log-in screen, I got another shutting down message. It shut down and then proceeded to the log-in screen.

Everything appears to be working fine so far, but I don’t recall ever seeing 2 shutdowns on a restart. Has anyone else seen 2 shutdowns on a restart?

Reply | Quote

I have seen the double reboot after April updates mentioned before. And I also experienced it installing the Rollups instead of the Security-only patches.

2 users thanked author for this post.

dgreen, DrBonzo

Reply | Quote

I too experienced the double restart after installing updates today.  Running Windows 7 Group “A”.  Everything seems to be running normally now – just unusual to have a second restart.

2 users thanked author for this post.

DrBonzo, dgreen

Reply | Quote

DrBonzo wrote:

Everything appears to be working fine so far, but I don’t recall ever seeing 2 shutdowns on a restart. Has anyone else seen 2 shutdowns on a restart?

Any number of times over the years… often enough that I don’t find it worth mentioning specifically.

Once upon a time there was even a particular HP workstation with specific drivers where the instructions were to restart it manually for a second time if an update installation only does it automatically once.

1 user thanked author for this post.

DrBonzo

Reply | Quote

I remembered vaguely that this has happened in the past so I searched, and yes, it happened on January – March 2018 updates.

Important: Windows security updates and antivirus software

Microsoft has identified a compatibility issue with Microsoft’s Windows security updates released in January 2018 and a small number of antivirus software products.

The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent these stop errors, Microsoft is currently only offering the January and February 2018 Windows security updates to devices that are running antivirus software that is from antivirus software vendors who have confirmed that their antivirus software is compatible by setting a required registry key…

https://support.microsoft.com/en-us/help/4072699/windows-security-updates-and-antivirus-software

Reply | Quote

the required reg key is no longer needed when installing April 2018 or higher updates and/or when using Win10 v1803 or greater

Reply | Quote

A question about April Windows 7 Rollup and Security Only patches:

The MS support page for the Rollup, KB4493472, says that beginning with the April Rollup, the PciClearStaleCache file will not be included, and that to prevent potential networking issues one of the Rollups released between April 10, 2018 and March 12, 2019 must already be installed.

The MS support page for the Security Only patch, KB4493448, makes no mention of needing the PciClearStaleCache file. Is this an omission on Microsoft’s part from the SO support page? Or do the April Security Only patches truly either not need this file or have it included with the patch?

Any know what the situation is? Thanks.

Reply | Quote

the PciClearStaleCache.exe file is not needed for KB4493448, DrBonzo.
same thing with the March 2019 SO update, KB4489885 and older security-only patches

PciClearStaleCache.exe should only be used with installing new monthly rollups starting with KB4493472

edit – note to woody: looks like Microsoft won’t be releasing any new non-security fixes for Win10 v1809 as the month of April is coming to a close, perhaps sometime in early May before patch Tuesday May 14, MS could release a new non-security patch for 1809.

1 user thanked author for this post.

DrBonzo

Reply | Quote

@EP – Thanks. I often take MS support pages with a large grain of salt, so I was wondering and curious about the difference between the Rollup and SO patches.

If you have a moment, is there a relatively simple explanation as to why the Rollup requires the PciClearStaleCache file but the SO doesn’t?

Reply | Quote

Someone at Kaspersky forum claim that “Kaspersky free AV destroyed my PC”

I just installed Kaspersky free AV, downloaded through your website (startup_14441.exe) an hour ago and it destroyed my laptop, latest Windows 10 64bit, default AV Windows 10 Defender + Malwarebytes free (manual mode scan). There is no malware on the laptop, I do daily scans with both Defender and Malwarebytes…

After about 1 minute or so, I got a bluescreen of DPC_WATCHDOG_TIMEOUT or something, system not responding anymore. PC restarted.

Restarted Windows, logged in, all seemed to work. I opened the Kaspersky systray icon to look through the settings, then maybe after 30 seconds of login, everything started to freeze again. After 1 minute or so, watchdog bluescreen and reboot…

https://community.kaspersky.com/kaspersky-anti-virus-12/kaspersky-free-av-destroyed-my-pc-334

Reply | Quote

Win7 X64 SP1 PC, with minimal M$ programs on it; Group B since Group B started. Avast free AV user. After reviewing all I could find, installed 4-2019 Group B patches incl. IE 11; machine runs fine. NOTE: I have not seen this on AskWoody.com: Article in BleepingComputer.com refers to the freeze due to changes to M$ CSRSS software. My own surmise: apparently that software not so prevalent in “non-business” PCs; thus why problem surfaced in various Antivirus vendors’ Business, and not Home, software. See:
https://www.bleepingcomputer.com/news/microsoft/windows-april-updates-also-have-problems-with-mcafee-software/

1 user thanked author for this post.

Charlie

Reply | Quote

Latest patch now available for 1809

https://support.microsoft.com/en-gb/help/4501835/windows-10-update-kb4501835

May 1, 2019—KB4501835 (OS Build 17763.439)

1 user thanked author for this post.

woody

Reply | Quote

Thanks! See https://www.askwoody.com/2019/microsoft-releases-the-second-april-cumulative-update-for-win10-1809-kb-4501835/

Reply | Quote