News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Avira confirms that this month’s Win7 and Win10 patches slow down PCs running their AV products

    Home Forums AskWoody blog Avira confirms that this month’s Win7 and Win10 patches slow down PCs running their AV products

    Tagged: ,

    Viewing 21 reply threads
    • Author
      Posts
      • #351006 Reply
        woody
        Da Boss

        Details on this are a bit sketchy, but Avira just posted an explanation saying: Why does my system run very slow? We could reproduce the described beh
        [See the full post at: Avira confirms that this month’s Win7 and Win10 patches slow down PCs running their AV products]

        5 users thanked author for this post.
      • #351007 Reply
        PKCano
        Da Boss

        Who tests this stuff, anyway??

        5 users thanked author for this post.
      • #351044 Reply
        anonymous
        Guest

        Let me guess.  The fix will be in the previews coming in two weeks?

      • #351053 Reply
        OscarCP
        AskWoody Plus

        Unfortunately, not everyone knows about Woody’s and reads what is advised regularly here. Those of us who do, should know better than to install patches right away. Or to install them sooner than weeks after Patch Tuesday, except in some exceptional emergencies.

        Unless one’s job makes it mandatory to patch everything right away, no matter what. Which, at this point, would seem like a good reason to start discreetly looking for another job.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        5 users thanked author for this post.
      • #351055 Reply
        Mr. Natural
        AskWoody Plus

        My question is what is Microsoft doing that is now triggering issues with anti-virus products?

        Red Ruffnsore reporting from the front lines.

        2 users thanked author for this post.
        • #351070 Reply
          jabeattyauditor
          AskWoody Lounger

          My question is what is Microsoft doing that is now triggering issues with anti-virus products?

          Closing some of the holes & hooks that antivirus authors used to enable their products to see what they need to see. Malware authors are using the same vulnerabilities to ply their trade.

          6 users thanked author for this post.
        • #351102 Reply
          rc primak
          AskWoody_MVP

          It all comes back to using undocumented APIs and inside the kernel drivers. These practices were bound to come back and bit end users in their backsides from the moment some vendors decided not to pay Microsoft for signed access inside the Windows (that the time Vista) 64-bit kernel.

          Never blame on malice (Microsoft Updates) what can be explained by stupidity (the third party AV vendors and developers).

          BTW, the main reason Windows Defender’s Protected Folders (anti-ransomware) feature must be turned off when you install and use third party security software is these same undocumented “back-doors”.  And some Windows security Updates don’t properly install even though they are listed in your Updates History as “Successfully Installed” when these undocumented “back-doors” are present and active. I’m not just talking about Feature Updates.

          My advice is, if you are on at least Windows 10 Version 1709, ditch all active third party security products and use the Windows 10 Firewall, the Protected Folders feature and Windows Defender.

          And stop blaming Microsoft for things which are not within Microsoft’s power to anticipate.

          -- rc primak

          4 users thanked author for this post.
          • #351269 Reply
            Mr. Natural
            AskWoody Plus

            I can’t speak for Susan but I know she’s been in favor of that position as well. (Just using w10 Defender) I have to admit I haven’t seen Microsoft so dedicated to AV protection since MS-DOS. I wonder why that is?…..

            Red Ruffnsore reporting from the front lines.

            1 user thanked author for this post.
        • #351274 Reply
          Geo
          AskWoody Lounger

          Probably want you to use MSE or Defender instead.

          1 user thanked author for this post.
      • #351057 Reply
        abbodi86
        AskWoody_MVP

        Like my fellow @ch100 once said, security updates and fixing vulnerabilities is about adding more restrictions and hardening the code

        the risk of side effect issues will always be present 🙂

        7 users thanked author for this post.
        • #351066 Reply
          Microfix
          AskWoody MVP

          ‘Can of worms’ and I don’t envy the the task, especially when attributes affect third party security. One small error, can result in huge consequences.
          Heck, even parsers will need updating as the complexity of algorithms and code increase.
          Moore’s law in code..whoah!

          Win7 Pro x86/x64 | Win8.1 Pro x64 | Linux Hybrids x86/x64 |
        • #351076 Reply
          woody
          Da Boss

          Agree wholeheartedly, but….

          If these patches were tested properly, the AV manufacturers would have a chance to fix their products and get the fixes out before they clobber all of their customers.

          3 users thanked author for this post.
      • #351082 Reply
        krweaver
        AskWoody Lounger

        I just navigated here from Windows Secrets but for the life of me cannot find what used to be a “spreadsheets” forum … where is it now on this site?

        1 user thanked author for this post.
        • #351093 Reply
          PKCano
          Da Boss

          Welcome t AskWoody!

          The “map” of the Forums is in the panel(woodgrain) on the right of the page at the bottom under “Forums.” See the spreadsheed Forum near the bottom of the screenshot. The topics are listed if you click on the link, or you can create your own topic at the bottom of the list.

          Screen-Shot-2019-04-11-at-1.30.22-PM

          Attachments:
          1 user thanked author for this post.
        • #351139 Reply
          woody
          Da Boss

          There’s also a hotlinked cross-reference on the Welcome! page.

          In this case, look down the left side and when you hit Spreadsheets, click the link on the right side.

          We haven’t yet started importing the Windows Secrets Topics (Questions) or Replies (Posts), but give us a few hours. In the interim, post away! Many of the VIPs you know from Windows Secrets are here to help.

      • #351153 Reply
        OscarCP
        AskWoody Plus

        So how does this AV problem get fixed? If it turned out that one’s AV is playing up as reported some already are, what can a user do to ford this nasty mess and reach the other shore, there to keep going with his/her work, or to continue enjoying the favorite online fun activities in relative safety? Find another AV? How to tell an OK one from a bad one? Any ideas?

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        • #351178 Reply
          warrenrumak
          AskWoody Plus

          Unfortunately, you just can’t tell a “good” AV from a “bad” one just by looking at it, or by considering its reputation.  You might as well be trying to tell if a house has a slight crack in the foundation by looking at it using Google Maps.

          The quality of software is only as good as the people who are working on it at the time.  AV companies, like all software firms, see people come and go over time.  All it takes is one less experienced developer to overlook something subtle but critical, and *boom*, “Avira Antivirus update cripples millions of Windows PCs” (dated 2012).

          So….. do as we’ve always done:  test before deploy.

          1 user thanked author for this post.
          • #351185 Reply
            OscarCP
            AskWoody Plus

            Thanks, Warrenrumak for that unsparing comment. But I’m afraid that, things as they are in my case, humble single-user on foot that I am, for me it has to be “deploy and test”. And if it’s no good, and if the machine still is in one piece and only slightly smoking, then uninstall and hope for better luck next time.

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

            • #351205 Reply
              anonymous
              Guest

              For myself, who only has a single laptop that still runs Windows, by following details on ask woody I choose to observe while others do the testing, then deploy on the all clear signal. No stress, no smoldering chassis, no craters, no garments torn asunder. An inspired existence. Thanks Woody et al.

              • #351210 Reply
                OscarCP
                AskWoody Plus

                Hmmm… That is also usually my approach to installing under dubious circumstances. But in this case there are so many AV products, each a potentially primed software hand grenade… the chances that someone else will get blown up when reaching for my particular brand of AV (and also that I’ll hear about it) are not really great.

                Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

              • #351229 Reply
                anonymous
                Guest

                My calendar suggests there may be three more weeks of observation time available in my “testing” phase, where others are doing the testing. Should I still be trembling at that time, I will know that saving a new image of my current system, and disconnecting the drive that holds that image, before updating will allow me a straight forward path to recovery. There is a zen like calm in making preparations. Granted this is easier to achieve on stand alone systems like yours and mine.

          • #352926 Reply
            rc primak
            AskWoody_MVP

            It gets a lot simpler (though not failsafe) when we’re only dealing with potential issues with one antivirus program. That would be Windows Defender.

            I do use scanners and even Cloud AV programs to supplement Windows Defender. This has provided plenty of protections for when I absolutely must use Windows online. But to be honest, I use Linux most of the time by far, especially for sensitive financial and health care online activities.

            For Linux I do scan with ClamAV. And the anti-Rootkit programs Chkrootkit and RKHunter. Command Line programs are not fun to run and collect logs, but they do allow a thorough investigation of anything suspicious which may be found. Realistically, Linux-specific infections are rare, but there’s always something to look at with Virus Total after even Linux scans.

            Windows scans with Windows AV scanners don’t provide nearly so much fun for me. But then, I do clean up after my web browsers, I have disabled Edge’s new run in the background and self-restart properties in the Group Policies, and I clean the system with CCleaner and Glary Utilities, following through with monthly runs of Disk Cleanup or Storage Sense. So there’s little left over to fuss with for the AV scanners. Just new updates and new user data mostly. Maybe the occasional stray adware PUP.

            So there is a place in my world for third party on-demand products and heuristics scanners. Just not their active shields. Those are what worm their way inside the 64-bit Windows kernel and can wreak havoc with updates and upgrades.

            -- rc primak

      • #351194 Reply
        PKCano
        Da Boss

        If Microsoft had been doing any kind of testing, they would have been aware of the BSOD (in fact, they probably were).
        These are major AVs we’re talking about, on millions of PCs.
        They could have blocked the AVs and prevented the problems.
        In fact, back in the first quarter of 2018, they blocked ALL AVs unless the AVs put a value in the Registry.

        It may be the AVs are RESPONSIBLE for VIOLATING the security RULES.

        But it is Microsoft that is RESPONSIBLE for ALLOWING the CHAOS that affected millions of their customers.

        3 users thanked author for this post.
        • #351287 Reply
          warrenrumak
          AskWoody Plus

          I get that it’s fun to use bold and caps and cast blame and all that….

          But what’s Microsoft supposed to do if, say, only 95% of AV vendors update their software in a timely fashion?

          Is the security of the entire Windows ecosystem supposed to be put on hold because the dev lead for some AV product is on their honeymoon?  And the PFY that tries to fix it in their stead cacks it all up?

          Nobody has a good answer to this.

          It’s a tough problem.  Pretending it isn’t serves no useful purpose.

          1 user thanked author for this post.
          • #351291 Reply
            OscarCP
            AskWoody Plus

            PFY? BOFH? The Boss? Uncle Brian? Kudos to you, Sir!

            But, caps or not, I think PK is right: MS should have done something earlier and been a little more mindful of us poor Windows users, but waited instead until the last possible moment to unleash their reformist zeal.

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          • #351345 Reply
            PKCano
            Da Boss

            What is the actual outcome of absolving Microsoft of the blame, then.

            People install the updates.
            They get a BSOD.
            What do they do to recover from the problem, to be able to continue the operations necessary to business and personal needs.
            They don’t change AV products.
            They uninstall the update that was supposed to protect them from a vulnerability, so they can get back to business.
            They continue using the AV product that is violating the security rules (making them even more vulnerable) until the AV can be revised.

            And what’s been accomplished?
            Nothing.
            They have neither the update nor a secure AV product.
            But they have a monumental amount of disruption.

            It seems Microsoft’s intention is to make it impossible to use any other security product but their own.
            Sorta reminds me of the Internet Explorer/Media Center thing.

            3 users thanked author for this post.
            • #352988 Reply
              rc primak
              AskWoody_MVP

              More likely, it is Microsoft’s intention to get the third party security vendors to obtain legitimate signed access inside the 64-bit Windows kernel, and to pay up for the privilege.

              As long as the piggy-bank gets filled, MS don’t care how they do it.

              Just don’t try to avoid paying and getting approval and then complain about MS Updates breaking your “backdoors”.

              -- rc primak

        • #351310 Reply
          mn–
          AskWoody Lounger

          Yeah, there’s something just not right in all this.

          I mean, in a case like this, was it a change in supported and documented behavior (a documented API or some such) or something that was supposed to be purely internal structures?

          Now it’s perfectly natural that an antimalware solution that scans on file access and such, will cause a performance penalty. That’s just basic math. How much of a performance penalty, that’s the good question.

          Then there’s the decision on what to do if the scan starts to take time. It’ll devolve into the “halting problem” eventually, but meanwhile – when do you abort the scanning process, do you fall back to allow or deny, and what’s this going to cause down the line then?

          Given how this same general problem also exists on Linux where, by definition, there’s no such thing as an undocumented internal kernel interface… and yes, some of the security products do hook into things quite deeply…

          The actual question still is, why wasn’t this tested, found and documented before public release?
          … yeah, right, not that the answer to that is all that surprising…

          • #353036 Reply
            rc primak
            AskWoody_MVP

            There are documented ways to gain direct access inside the Windows 64-bit kernel. But you do need to ask permission from Microsoft, and pay for and maintain a Signed Certificate.

            -- rc primak

      • #351206 Reply
        Myst
        AskWoody Plus

        Who tests this stuff, anyway??

        Thought I saw a bunch of laughing hyenas walking into Microsoft with signs around their necks that said “MS Beta Tester”. And then they laughed

        Win7 SP1 Home 64-bit, GrpA / MacOS / Chromebook

        2 users thanked author for this post.
      • #351212 Reply
        anonymous
        Guest

        Seems that the update is also causing issues with McAfee.  Installed this months update on several machines and it seems to block virus database updates.  Uninstalled Aprils update and am able to receive McAfee database updates again.

        • #351233 Reply
          anonymous
          Guest

          Any word on Kaspersky from “beta tester” victims?

          • #351399 Reply
            Myst
            AskWoody Plus

            Any word on Kaspersky from “beta tester” victims?

             
            Comments at BleepingComputer – somebody reported Kaspersky was also affected on their system. https://www.bleepingcomputer.com/news/microsoft/microsofts-april-2019-updates-are-causing-windows-to-freeze/

            Comment is as follows –
            20 hours ago
 
            “I have a notebook with Windows 10 Home v1809 installed. After installing April 2019 Update, it restarted and crashed right into the repair screen, no longer booting the operating system. I use Kaspersky Internet Security and Malwarebytes Premium, so apparently the list of incompatibilities is higher.”

            Win7 SP1 Home 64-bit, GrpA / MacOS / Chromebook

            3 users thanked author for this post.
          • #351406 Reply
            jabeattyauditor
            AskWoody Lounger

            Any word on Kaspersky from “beta tester” victims?

            Two laptops at home, both running 1809 and the Kaspersky Free version. No problems with any current updates – fully patched.

            No issues at the office where we use Symantec Endpoint and Dell Threat Defense (re-branded Cylance).

            1 user thanked author for this post.
            • #351505 Reply
              Myst
              AskWoody Plus

              Any word on Kaspersky from “beta tester” victims?

              Two laptops at home, both running 1809 and the Kaspersky Free version. No problems with any current updates – fully patched. No issues at the office where we use Symantec Endpoint and Dell Threat Defense (re-branded Cylance).

              The comment on BleepingComputer might have referred to their problem being with Malwarebytes because they mentioned that AV also. Or could be the Kaspersky Free version you use isn’t a problem with this Win update. My advice to anyone and as Woody now states, Defcon1, don’t update

              Win7 SP1 Home 64-bit, GrpA / MacOS / Chromebook

              1 user thanked author for this post.
        • #351333 Reply
          woody
          Da Boss

          Do you have a link to a description?

        • #402094 Reply
          manual
          AskWoody Lounger

          which mcafee? what version?

      • #351262 Reply
        OscarCP
        AskWoody Plus

        OK: I have a PC running Windows 7 Pro, x64 SP1, and am in no hurry to install this month’s Security Only update. Three weeks from now, or even longer, we’ll see. Maybe someone will try to use, before then, Webroot SecurityOnly, the brand of my AV, gets burned doing that, cries out in agony and so lets everyone know, before then.

        In case I missed it: is there anything that makes this particular Security Only update a “must install as soon as possible” one?

        Win 7 (Group B) + M&L

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #351276 Reply
        Geo
        AskWoody Lounger

        I use MSE and Adwcleaner.  No problems with them.

        1 user thanked author for this post.
        • #353075 Reply
          rc primak
          AskWoody_MVP

          Adwcleaner is not active antivirus. It’s a specialized on-demand scanner. It isn’t involved in these issues.

          -- rc primak

      • #351305 Reply
        Rawr
        AskWoody Lounger

        Good thing this issue isn’t prevalent in all AV vendors. I’m not experiencing any issues with ESET AV.

      • #351426 Reply
        anonymous
        Guest

        Windows 10 Version 1809 Build 17763.437, F-Secure SAFE version 17.5

        All good here, no speed issues after latest updates.

        When was the last time Woody told readers to take a full system backup before updating on Patch Tuesday?  Just asking.

        • #353747 Reply
          anonymous
          Guest

          “When was the last time Woody told readers to take a full system backup before updating on Patch Tuesday? Just asking.”

          Your question might have been facetious or rhetorical, but it has been Step One in every guide to updating that Woody sends to Computerworld in my limited memory. Recently, for the sake on an example, https://www.computerworld.com/article/3386396/it-s-time-to-install-the-march-windows-and-office-patches.html

          Also, remember that for the current topic of discussion, the updating guide has not been written yet. Big Red MSDEFCON-1 and all that.

          1 user thanked author for this post.
      • #351563 Reply
        joep517
        AskWoody MVP

        It is easy and convenient to bash Microsoft and blame them for the problem. BUT, we do not know and probably never will know the true reason.

        Is it as RC Primak said above that the primary faiult lies with the AV vendors for using undocumented APIs? Is it Microsoft’s fault for introducing a new restriction in a valid API that was not documented and disseminated to the AV vendors? If the AV vendors are using undocumented APIs that is their fault. Any programmer worth their salt knows that an undocumented method can be changed or disabled at any time without notice.

        PK Cano posits that Microsoft should have caught this in testing and notified the vendors. Maybe they did. They may have notified the vendors and the vendors ignored it. Microsoft may not have given the vendors enough time to rectify the situation. The AV vendors are never going to admit fault for that would potentially damage their reuptation(s). It is always easier to blame Microsoft.

        Maybe Microsoft did not catch it. We do not know if this is a general condition for all Avira (and other 3rd party AV) users or if it affects a certain configuration(s) only. There is no way Microsoft can test all the hardware and software configurations. I’m sure they run an automated test suite over hundreds and probably thousands of machines. But that is a mere drop in the bucket of the configrations that can exist.

        --Joe

        6 users thanked author for this post.
        • #353080 Reply
          rc primak
          AskWoody_MVP

          So now that we know all this, what do we do? What should Microsoft do?

          -- rc primak

        • #374947 Reply
          DrBonzo
          AskWoody Plus

          This is actually a very simple issue.

          Microsoft issued a bad patch. As the issuer of said patch they need to step up and take responsibility for it and get it fixed.

          If an AV vendor had issued a bad patch, then that vendor would need to step up and take responsibility for it and get it fixed.

          If I was an executive at MS I would want to prevent this sort of thing from happening again. In order to do that I would need to know if it was my guy(s) or the other vendor’s guy(s) who made the mistake(s) (realizing that it could well have been a combination of my and their guy(s) who are at fault). But as a customer, I don’t really care about who’s to blame. What I see is that I’m using an MS operating system and applying an MS patch that bricks my computer. Microsoft, you need to get it fixed! Now!

          1 user thanked author for this post.
      • #353968 Reply
        b
        AskWoody Plus

        1809 CU now lists ArcaBit (but not Avira) AV as a known issue:

        Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to freeze or hang upon restart after installing this update.

        We are presently investigating this issue with ArcaBit and will provide an update when available.

        April 9, 2019—KB4493509 (OS Build 17763.437)

        Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

        2 users thanked author for this post.
        • #354263 Reply
          woody
          Da Boss

          How about that….

          Arkabit is a Polish antivirus program. And this particular report doesn’t sound like the slow-as-sludge reports I’ve seen. I bet we have another shoe yet to drop.

      • #354466 Reply
        b
        AskWoody Plus

        Windows 7 updates now have known issues listed for Avira, Avast, AVG, ArcaBit, Sophos:

        (with blocks or guidance links)

        April 9, 2019—KB4493448 (Security-only update)

        April 9, 2019—KB4493472 (Monthly Rollup)

        Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

        2 users thanked author for this post.
      • #362699 Reply
        CyGuy
        AskWoody Plus

        Please forgive my ignorance but this is a bit mind-boggling for civilians.  Does this problem currently affect all versions of Avast (e.g. free) with all versions of Windows 10?

        • #363077 Reply
          PKCano
          Da Boss

          According to the MS pages as of 4/13 am (server time):
          Avira and Sophos are blocked on Win7/8.1, Avast has issued an Emergency Update, and MS is investigating ArcaBib.
          ArcaBit has a known issue for Win10 1809
          I don’t see anything on the Win10 1803 page.

          2 users thanked author for this post.
      • #370239 Reply
        EP
        AskWoody_MVP

        Any word on Kaspersky from “beta tester” victims?

        Two laptops at home, both running 1809 and the Kaspersky Free version. No problems with any current updates – fully patched. No issues at the office where we use Symantec Endpoint and Dell Threat Defense (re-branded Cylance).

        The comment on BleepingComputer might have referred to their problem being with Malwarebytes because they mentioned that AV also. Or could be the Kaspersky Free version you use isn’t a problem with this Win update. My advice to anyone and as Woody now states, Defcon1, don’t update

        I’ve installed the KB4493509 update on my win10 v1809 machine that has just windows defender & Malwarebytes free edition and I am not experiencing any problems with that update. maybe it happens with just Malwarebytes Premium and not the free version.

      • #374982 Reply
        anonymous
        Guest

        Conjecture: While we debate the blame for allowing or misusing API’s, I notice that there does not seem to be a consistent pattern in the wilderness*. I propose that in addition to the known actors, Microsoft’s OS and many vendor’s security products, there are the unknown actors and their malware. Is it possible that the common element is an agent that afflicts systems only when infected? Doesn’t even have to be blackhat, could be a normally benign agent that is not accounted for in “testing”.

        * I do note there have been large networks that show 100%, or nearly so, rates. Those are also likely to have consistent profiles and cross contamination anyway.

        • #441613 Reply
          rc primak
          AskWoody_MVP

          This is possible, but in my less than expert opinion, doubtful at present.

          Anyway, such a roundabout explanation seems to me to be premature and unnecessary. It violates Occam’s Razor (the simplest explanation is often the correct one).

          -- rc primak

      • #429962 Reply
        abbodi86
        AskWoody_MVP

        https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472

        It seems Avast and ArcaBit had fixed their products

        5 users thanked author for this post.
    Viewing 21 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Avira confirms that this month’s Win7 and Win10 patches slow down PCs running their AV products

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.