Newsletter Archives

• Patch Lady – so I don’t get it

  Posted on April 12, 2019 at 20:24 CDT by Susan Bradley • Comment in the Forums

  By now you’ve seen the headlines… we have three antivirus documented as being down for the count when it comes to Windows 7 and 8.1 (and corresponding Server OS as well).  Per https://support.microsoft.com/en-us/help/4493448 , Sophos, Avira and Avast all are causing issues, with machines unresponsive.  Avast in particular has the nasty side effect of “additionally you may be unable to log in or log in after an extended period of time”.

  Yet in the patches there doesn’t see to be any extreme changes to the kernel (that my honestly untrained eyes) can see that would cause three pretty common antivirus engines to be totally making computers unusable.

  https://support.microsoft.com/en-us/help/4493472 (the monthly rollup KB) lists ArcaBit as another impacted one.

  Windows 10 1809 also refers to an issue with ArcaBit antivirus.  I am not seeing that reported on any other Windows 10 platform.

  In the cumulative update model it’s a bit harder to tell what exactly Microsoft is fixing.  Dustin Childs (ex-MSRC webcasts/blogger now at Zero day) lists out the patches in their “code” style not in the patch style.  Normally kernel code changes are the most historically and notoriously at fault for interactions with antivirus.  Because A/V hooks into the kernel, changes to that code often has ripple effects.

  Both kernel bugs this month (here and here) don’t give me clues that they might be the ones triggering all of these failures.

  Bottom line I’m giving you no answers tonight, just big warnings.  Don’t install updates just yet… but you knew that one already.

  Uncategorized KB 4493448, Patch Lady Posts, Sophos

• Avira confirms that this month’s Win7 and Win10 version 1809 patches slow down PCs running their AV products

  Posted on April 11, 2019 at 11:15 CDT by woody • Comment in the Forums

  Details on this are a bit sketchy, but Avira just posted an explanation saying:

  Why does my system run very slow?
  We could reproduce the described behavior.
  This is occurring because of a current Windows Update.

  … and goes on to specify the Win10 version 1809 cumulative update KB 4493509, and the Win7 updates KB 4493472 (April Monthly Rollup) and KB 4493448 (Security-only) can lead to the slowdowns.

  As was the case with the first mea culpa from Sophos, I have to wonder if that’s the full list of bad patches.

  I also wonder why Avira’s reporting a slowdown, whereas Sophos and Avast report freezes on startup.

  There are no other details I can find. Microsoft certainly hasn’t acknowledged anything other than a slight misunderstanding with Sophos. C’mon, Softies. You say you’re going to give us better accountability for patches and improved guidance when things turn for the worse. We could use a big dose of that right now.

  The next time somebody tells you that you have to install Microsoft patches as soon as they’re available… oh, nevermind. I guess it’s good that some folks volunteer to test this stuff.

  Good synopsis from Lawrence Abrams on BleepingComputer.

  Patch Watch, Windows Patches/Security KB 4493448, KB 4493472, KB 4493509

• Widespread reports of freezing with this month’s Win7 Monthly Rollup, KB 4493472, and Win8.1 Monthly rollup KB 4493446

  Posted on April 10, 2019 at 07:26 CDT by woody • Comment in the Forums

  Spiceworks has a nearly-feature-length litany of problems with KB 4493472.

  DON’T let Windows Automatic Update get to your Windows 7 or 8.1 (or Server 2008 R2 or Server 2012 R2) machines. But you knew that already.

  Thx @BoltsfanKevin (that’s Kevin Hughes)

  UPDATE: Server 2008 R2 machines are falling left and right. From the Sophos Endpoint Security blog:

  SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.

  The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.

  Only solution is to uninstall the patch. Which may be difficult.

  ANOTHER UPDATE: Sophos has posted an official acknowledgment, putting the blame on both the Win7 Monthly Rollup and the Win 8.1 Monthly Rollup, KB 4493467:

  If you have not yet performed the update we recommend not doing so.

  If you have performed the update but not yet rebooted we recommend removing the update prior to rebooting.

  If you have performed the update and have rebooted, triggering the issue:

  Boot into safe mode
  Disable the Sophos Anti-Virus service
  Boot into normal mode
  Uninstall the Windows KB
  Enable the Sophos Anti-Virus service

  It’s still much, much too early to tell if the same change in Win7 and 8.1 will also clobber other software. Just sit tight and wait for the MS-DEFCON level to change.

  More details (including a question about precisely which patches are breaking Sophos) in Computerworld Woody on Windows.

  UPDATE: We’ve had several reports that Avast customers are experiencing the same symptoms. Avast has a mea culpa:

  Windows machines (particularly those running Windows 7) are becoming locked or frozen on startup after Microsoft updates KB4493472, KB4493448, and KB4493435.

  Avast has received reports of an issue affecting our customers running Avast for Business and Avast Cloud Care on Windows machines, particularly those with Windows 7 operating systems. While this problem is currently being researched, we have discovered some temporary solutions to restore functionality to our users.
  1. Reboot your machine into Safe Mode. Our customers are reporting that they are able to get past the login/Welcome screen in Safe Mode.
  Patch Watch, Windows Patches/Security KB 4493435, KB 4493448, KB 4493467, KB 4493472, Sophos