Machines running popular AV software go unresponsive after Microsoft Windows update

News by Bradley Barth

Windows update causes headaches for users

April’s Microsoft Windows update has apparently been causing headaches for users who had previously installed anti-virus software from vendors such as Avast, Avira, ArcaBit, McAfee and Sophos.

Users with these AV products who installed the 9 April Windows update may find that their machines become slow or unresponsive following restart, according to the "Known Issues" section of Microsoft’s Monthly Rollup update web page.

So far two of the affected security vendors, Avast and Arcabit, have released software updates [1, 2] to mitigate the issue, while McAfee is testing a proof-of-concept fix that is available to customers. Microsoft is assisting Avira and Sophos by temporarily blocking devices with these AV products from receiving the April update, until a more permanent solution becomes available.

Avast published a support page specifying that machines running Avast for Business, Avast CloudCare and AVG Business Edition AV software may freeze at the login or Welcome screen upon installation of the latest Windows update. Additionally, users also may have to wait a long time to log in, or may not be able to at all.

"We have determined that these issues are related to Microsoft updates for Windows 7… and Windows 8.1… and the variant updates dependent on device operating system," the support page states. The AV company has responded by issuing an emergency micro-updates for Avast versions 18.7, 18.8, 19.3 and 19.4.

McAfee and Sophos, meanwhile, have issued support articles offering guidance to users while the matter is further analysed and a solution is developed.

McAfee notes that the issue affects devices on which McAfee Endpoint Security ENS Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 can also be affected is installed.

"McAfee is investigating this issue and will resolve it in a future update," states McAfee. "A proof-of-concept (POC) build to test a fix is currently available," the company adds, instructing customers to request it by escalating a service request to Technical Support.

Sophos’ support article clarifies that all Sophos endpoints or server products running Windows 7, 8.1, 2008, 2008 R2, 2012 and 2012 R2 are susceptible to the problem, with the lone exception of Sophos Central Intercept X. As a temporary solution, Sophos has introduced a series of exclusions that generally prevent the issue from occurring as long as the device wasn’t rebooted following installation of the Windows update. These exclusions are added automatically in Sophos Central and Enterprise Console customers and must be added manually in UTM-managed and standalone endpoints.

For those already impacted by the problem, Sophos’ support page also offers steps to recover the machine.

The original version of this article was first published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop