Newsletter Archives

• For the second month in a row, McAfee and Sophos are having problems with the Win7/Server 2008 R2 Monthly Rollup and Security-only patches

  Posted on May 19, 2019 at 07:38 CDT by woody • Comment in the Forums

  After the debacle last month, you’d think that McAfee and Sophos would’ve figured out a way to work with Microsoft’s monthly patches.

  Not so.

  Microsoft says that its May 14 Monthly Rollup, KB 4499164 and Security-only patch KB 4499175, are triggering problems anew:

  Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

  We are presently investigating this issue with McAfee.

  Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

  To be clear, this is in addition to the problems we all felt last month. The official Release Information status page says that this particular problem originated on April 9 and has been mitigated. McAfee disagrees: “May 16, 2019 Updated that this issue applies to Windows April 2019 update KBs or later Windows monthly updates.” You can choose which one you believe.

  Microsoft hasn’t yet admitted to the problems with Sophos, but I assure you they will. Here’s what Sophos says:

  We have had an increase in customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on “Configuring 30%”

  Initial findings suggest that this relates to the below Microsoft Patches:

  May 14, 2019—KB4499164 (Monthly Rollup)
  May 14, 2019—KB4499165 (Security-only update)

  We have currently only identified the issue on Windows 7 and Windows Server 2008 R2

  Applies to the following Sophos product(s) and version(s)
  Sophos Endpoint Security and Control
  Sophos Central Endpoint Standard/Advanced

  Why does this feel like deja vu all over again?

  Thx Kevin Beaumont @GossiTheDog.

  Windows Patches/Security May 2019 Black Tuesday, McAfee, Sophos

• Patch Lady – so I don’t get it

  Posted on April 12, 2019 at 20:24 CDT by Susan Bradley • Comment in the Forums

  By now you’ve seen the headlines… we have three antivirus documented as being down for the count when it comes to Windows 7 and 8.1 (and corresponding Server OS as well).  Per https://support.microsoft.com/en-us/help/4493448 , Sophos, Avira and Avast all are causing issues, with machines unresponsive.  Avast in particular has the nasty side effect of “additionally you may be unable to log in or log in after an extended period of time”.

  Yet in the patches there doesn’t see to be any extreme changes to the kernel (that my honestly untrained eyes) can see that would cause three pretty common antivirus engines to be totally making computers unusable.

  https://support.microsoft.com/en-us/help/4493472 (the monthly rollup KB) lists ArcaBit as another impacted one.

  Windows 10 1809 also refers to an issue with ArcaBit antivirus.  I am not seeing that reported on any other Windows 10 platform.

  In the cumulative update model it’s a bit harder to tell what exactly Microsoft is fixing.  Dustin Childs (ex-MSRC webcasts/blogger now at Zero day) lists out the patches in their “code” style not in the patch style.  Normally kernel code changes are the most historically and notoriously at fault for interactions with antivirus.  Because A/V hooks into the kernel, changes to that code often has ripple effects.

  Both kernel bugs this month (here and here) don’t give me clues that they might be the ones triggering all of these failures.

  Bottom line I’m giving you no answers tonight, just big warnings.  Don’t install updates just yet… but you knew that one already.

  Uncategorized KB 4493448, Patch Lady Posts, Sophos

• Widespread reports of freezing with this month’s Win7 Monthly Rollup, KB 4493472, and Win8.1 Monthly rollup KB 4493446

  Posted on April 10, 2019 at 07:26 CDT by woody • Comment in the Forums

  Spiceworks has a nearly-feature-length litany of problems with KB 4493472.

  DON’T let Windows Automatic Update get to your Windows 7 or 8.1 (or Server 2008 R2 or Server 2012 R2) machines. But you knew that already.

  Thx @BoltsfanKevin (that’s Kevin Hughes)

  UPDATE: Server 2008 R2 machines are falling left and right. From the Sophos Endpoint Security blog:

  SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.

  The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.

  Only solution is to uninstall the patch. Which may be difficult.

  ANOTHER UPDATE: Sophos has posted an official acknowledgment, putting the blame on both the Win7 Monthly Rollup and the Win 8.1 Monthly Rollup, KB 4493467:

  If you have not yet performed the update we recommend not doing so.

  If you have performed the update but not yet rebooted we recommend removing the update prior to rebooting.

  If you have performed the update and have rebooted, triggering the issue:

  Boot into safe mode
  Disable the Sophos Anti-Virus service
  Boot into normal mode
  Uninstall the Windows KB
  Enable the Sophos Anti-Virus service

  It’s still much, much too early to tell if the same change in Win7 and 8.1 will also clobber other software. Just sit tight and wait for the MS-DEFCON level to change.

  More details (including a question about precisely which patches are breaking Sophos) in Computerworld Woody on Windows.

  UPDATE: We’ve had several reports that Avast customers are experiencing the same symptoms. Avast has a mea culpa:

  Windows machines (particularly those running Windows 7) are becoming locked or frozen on startup after Microsoft updates KB4493472, KB4493448, and KB4493435.

  Avast has received reports of an issue affecting our customers running Avast for Business and Avast Cloud Care on Windows machines, particularly those with Windows 7 operating systems. While this problem is currently being researched, we have discovered some temporary solutions to restore functionality to our users.
  1. Reboot your machine into Safe Mode. Our customers are reporting that they are able to get past the login/Welcome screen in Safe Mode.
  Patch Watch, Windows Patches/Security KB 4493435, KB 4493448, KB 4493467, KB 4493472, Sophos