News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Avira confirms that this month’s Win7 and Win10 patches slow down PCs running their AV products

    Home Forums AskWoody blog Avira confirms that this month’s Win7 and Win10 patches slow down PCs running their AV products

    Tagged: ,

    This topic contains 63 replies, has 21 voices, and was last updated by  rc primak 4 months, 1 week ago.

    • Author
      Posts
    • #351006 Reply

      woody
      Da Boss

      Details on this are a bit sketchy, but Avira just posted an explanation saying: Why does my system run very slow? We could reproduce the described beh
      [See the full post at: Avira confirms that this month’s Win7 and Win10 patches slow down PCs running their AV products]

      5 users thanked author for this post.
    • #351007 Reply

      PKCano
      Da Boss

      Who tests this stuff, anyway??

      5 users thanked author for this post.
    • #351044 Reply

      anonymous

      Let me guess.  The fix will be in the previews coming in two weeks?

    • #351053 Reply

      OscarCP
      AskWoody Plus

      Unfortunately, not everyone knows about Woody’s and reads what is advised regularly here. Those of us who do, should know better than to install patches right away. Or to install them sooner than weeks after Patch Tuesday, except in some exceptional emergencies.

      Unless one’s job makes it mandatory to patch everything right away, no matter what. Which, at this point, would seem like a good reason to start discreetly looking for another job.

      5 users thanked author for this post.
    • #351055 Reply

      Mr. Natural
      AskWoody Plus

      My question is what is Microsoft doing that is now triggering issues with anti-virus products?

      Red Ruffnsore reporting from the front lines.

      2 users thanked author for this post.
      • #351070 Reply

        jabeattyauditor
        AskWoody Lounger

        My question is what is Microsoft doing that is now triggering issues with anti-virus products?

        Closing some of the holes & hooks that antivirus authors used to enable their products to see what they need to see. Malware authors are using the same vulnerabilities to ply their trade.

        6 users thanked author for this post.
      • #351102 Reply

        rc primak
        AskWoody_MVP

        It all comes back to using undocumented APIs and inside the kernel drivers. These practices were bound to come back and bit end users in their backsides from the moment some vendors decided not to pay Microsoft for signed access inside the Windows (that the time Vista) 64-bit kernel.

        Never blame on malice (Microsoft Updates) what can be explained by stupidity (the third party AV vendors and developers).

        BTW, the main reason Windows Defender’s Protected Folders (anti-ransomware) feature must be turned off when you install and use third party security software is these same undocumented “back-doors”.  And some Windows security Updates don’t properly install even though they are listed in your Updates History as “Successfully Installed” when these undocumented “back-doors” are present and active. I’m not just talking about Feature Updates.

        My advice is, if you are on at least Windows 10 Version 1709, ditch all active third party security products and use the Windows 10 Firewall, the Protected Folders feature and Windows Defender.

        And stop blaming Microsoft for things which are not within Microsoft’s power to anticipate.

        -- rc primak

        4 users thanked author for this post.
        • #351269 Reply

          Mr. Natural
          AskWoody Plus

          I can’t speak for Susan but I know she’s been in favor of that position as well. (Just using w10 Defender) I have to admit I haven’t seen Microsoft so dedicated to AV protection since MS-DOS. I wonder why that is?…..

          Red Ruffnsore reporting from the front lines.

          1 user thanked author for this post.
      • #351274 Reply

        Geo
        AskWoody Plus

        Probably want you to use MSE or Defender instead.

        1 user thanked author for this post.
    • #351057 Reply

      abbodi86
      AskWoody_MVP

      Like my fellow @ch100 once said, security updates and fixing vulnerabilities is about adding more restrictions and hardening the code

      the risk of side effect issues will always be present 🙂

      7 users thanked author for this post.
      • #351066 Reply

        Microfix
        Da Boss

        ‘Can of worms’ and I don’t envy the the task, especially when attributes affect third party security. One small error, can result in huge consequences.
        Heck, even parsers will need updating as the complexity of algorithms and code increase.
        Moore’s law in code..whoah!

        ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

      • #351076 Reply

        woody
        Da Boss

        Agree wholeheartedly, but….

        If these patches were tested properly, the AV manufacturers would have a chance to fix their products and get the fixes out before they clobber all of their customers.

        3 users thanked author for this post.
    • #351082 Reply

      krweaver
      AskWoody Lounger

      I just navigated here from Windows Secrets but for the life of me cannot find what used to be a “spreadsheets” forum … where is it now on this site?

      1 user thanked author for this post.
      • #351093 Reply

        PKCano
        Da Boss

        Welcome t AskWoody!

        The “map” of the Forums is in the panel(woodgrain) on the right of the page at the bottom under “Forums.” See the spreadsheed Forum near the bottom of the screenshot. The topics are listed if you click on the link, or you can create your own topic at the bottom of the list.

        Screen-Shot-2019-04-11-at-1.30.22-PM

        Attachments:
        1 user thanked author for this post.
      • #351139 Reply

        woody
        Da Boss

        There’s also a hotlinked cross-reference on the Welcome! page.

        In this case, look down the left side and when you hit Spreadsheets, click the link on the right side.

        We haven’t yet started importing the Windows Secrets Topics (Questions) or Replies (Posts), but give us a few hours. In the interim, post away! Many of the VIPs you know from Windows Secrets are here to help.

    • #351153 Reply

      OscarCP
      AskWoody Plus

      So how does this AV problem get fixed? If it turned out that one’s AV is playing up as reported some already are, what can a user do to ford this nasty mess and reach the other shore, there to keep going with his/her work, or to continue enjoying the favorite online fun activities in relative safety? Find another AV? How to tell an OK one from a bad one? Any ideas?

      • #351178 Reply

        warrenrumak
        AskWoody Plus

        Unfortunately, you just can’t tell a “good” AV from a “bad” one just by looking at it, or by considering its reputation.  You might as well be trying to tell if a house has a slight crack in the foundation by looking at it using Google Maps.

        The quality of software is only as good as the people who are working on it at the time.  AV companies, like all software firms, see people come and go over time.  All it takes is one less experienced developer to overlook something subtle but critical, and *boom*, “Avira Antivirus update cripples millions of Windows PCs” (dated 2012).

        So….. do as we’ve always done:  test before deploy.

        1 user thanked author for this post.
        • #351185 Reply

          OscarCP
          AskWoody Plus

          Thanks, Warrenrumak for that unsparing comment. But I’m afraid that, things as they are in my case, humble single-user on foot that I am, for me it has to be “deploy and test”. And if it’s no good, and if the machine still is in one piece and only slightly smoking, then uninstall and hope for better luck next time.

          • #351205 Reply

            anonymous

            For myself, who only has a single laptop that still runs Windows, by following details on ask woody I choose to observe while others do the testing, then deploy on the all clear signal. No stress, no smoldering chassis, no craters, no garments torn asunder. An inspired existence. Thanks Woody et al.

            • #351210 Reply

              OscarCP
              AskWoody Plus

              Hmmm… That is also usually my approach to installing under dubious circumstances. But in this case there are so many AV products, each a potentially primed software hand grenade… the chances that someone else will get blown up when reaching for my particular brand of AV (and also that I’ll hear about it) are not really great.

            • #351229 Reply

              anonymous

              My calendar suggests there may be three more weeks of observation time available in my “testing” phase, where others are doing the testing. Should I still be trembling at that time, I will know that saving a new image of my current system, and disconnecting the drive that holds that image, before updating will allow me a straight forward path to recovery. There is a zen like calm in making preparations. Granted this is easier to achieve on stand alone systems like yours and mine.

        • #352926 Reply

          rc primak
          AskWoody_MVP

          It gets a lot simpler (though not failsafe) when we’re only dealing with potential issues with one antivirus program. That would be Windows Defender.

          I do use scanners and even Cloud AV programs to supplement Windows Defender. This has provided plenty of protections for when I absolutely must use Windows online. But to be honest, I use Linux most of the time by far, especially for sensitive financial and health care online activities.

          For Linux I do scan with ClamAV. And the anti-Rootkit programs Chkrootkit and RKHunter. Command Line programs are not fun to run and collect logs, but they do allow a thorough investigation of anything suspicious which may be found. Realistically, Linux-specific infections are rare, but there’s always something to look at with Virus Total after even Linux scans.

          Windows scans with Windows AV scanners don’t provide nearly so much fun for me. But then, I do clean up after my web browsers, I have disabled Edge’s new run in the background and self-restart properties in the Group Policies, and I clean the system with CCleaner and Glary Utilities, following through with monthly runs of Disk Cleanup or Storage Sense. So there’s little left over to fuss with for the AV scanners. Just new updates and new user data mostly. Maybe the occasional stray adware PUP.

          So there is a place in my world for third party on-demand products and heuristics scanners. Just not their active shields. Those are what worm their way inside the 64-bit Windows kernel and can wreak havoc with updates and upgrades.

          -- rc primak

    • #351194 Reply

      PKCano
      Da Boss

      If Microsoft had been doing any kind of testing, they would have been aware of the BSOD (in fact, they probably were).
      These are major AVs we’re talking about, on millions of PCs.
      They could have blocked the AVs and prevented the problems.
      In fact, back in the first quarter of 2018, they blocked ALL AVs unless the AVs put a value in the Registry.

      It may be the AVs are RESPONSIBLE for VIOLATING the security RULES.

      But it is Microsoft that is RESPONSIBLE for ALLOWING the CHAOS that affected millions of their customers.

      3 users thanked author for this post.
      • #351287 Reply

        warrenrumak
        AskWoody Plus

        I get that it’s fun to use bold and caps and cast blame and all that….

        But what’s Microsoft supposed to do if, say, only 95% of AV vendors update their software in a timely fashion?

        Is the security of the entire Windows ecosystem supposed to be put on hold because the dev lead for some AV product is on their honeymoon?  And the PFY that tries to fix it in their stead cacks it all up?

        Nobody has a good answer to this.

        It’s a tough problem.  Pretending it isn’t serves no useful purpose.

        1 user thanked author for this post.
        • #351291 Reply

          OscarCP
          AskWoody Plus

          PFY? BOFH? The Boss? Uncle Brian? Kudos to you, Sir!

          But, caps or not, I think PK is right: MS should have done something earlier and been a little more mindful of us poor Windows users, but waited instead until the last possible moment to unleash their reformist zeal.

        • #351345 Reply

          PKCano
          Da Boss

          What is the actual outcome of absolving Microsoft of the blame, then.

          People install the updates.
          They get a BSOD.
          What do they do to recover from the problem, to be able to continue the operations necessary to business and personal needs.
          They don’t change AV products.
          They uninstall the update that was supposed to protect them from a vulnerability, so they can get back to business.
          They continue using the AV product that is violating the security rules (making them even more vulnerable) until the AV can be revised.

          And what’s been accomplished?
          Nothing.
          They have neither the update nor a secure AV product.
          But they have a monumental amount of disruption.

          It seems Microsoft’s intention is to make it impossible to use any other security product but their own.
          Sorta reminds me of the Internet Explorer/Media Center thing.

          3 users thanked author for this post.
          • #352988 Reply

            rc primak
            AskWoody_MVP

            More likely, it is Microsoft’s intention to get the third party security vendors to obtain legitimate signed access inside the 64-bit Windows kernel, and to pay up for the privilege.

            As long as the piggy-bank gets filled, MS don’t care how they do it.

            Just don’t try to avoid paying and getting approval and then complain about MS Updates breaking your “backdoors”.

            -- rc primak

      • #351310 Reply

        mn–
        AskWoody Lounger

        Yeah, there’s something just not right in all this.

        I mean, in a case like this, was it a change in supported and documented behavior (a documented API or some such) or something that was supposed to be purely internal structures?

        Now it’s perfectly natural that an antimalware solution that scans on file access and such, will cause a performance penalty. That’s just basic math. How much of a performance penalty, that’s the good question.

        Then there’s the decision on what to do if the scan starts to take time. It’ll devolve into the “halting problem” eventually, but meanwhile – when do you abort the scanning process, do you fall back to allow or deny, and what’s this going to cause down the line then?

        Given how this same general problem also exists on Linux where, by definition, there’s no such thing as an undocumented internal kernel interface… and yes, some of the security products do hook into things quite deeply…

        The actual question still is, why wasn’t this tested, found and documented before public release?
        … yeah, right, not that the answer to that is all that surprising…

        • #353036 Reply

          rc primak
          AskWoody_MVP

          There are documented ways to gain direct access inside the Windows 64-bit kernel. But you do need to ask permission from Microsoft, and pay for and maintain a Signed Certificate.

          -- rc primak

    • #351206 Reply

      willygirl
      AskWoody Plus

      Who tests this stuff, anyway??

      Thought I saw a bunch of laughing hyenas walking into Microsoft with signs around their necks that said “MS Beta Tester”. And then they laughed

      Win7 SP1 Home 64-bit; Office 2010; GrpA, when all is said, done and fixed, Mac OSX to help me sleep at night.

      2 users thanked author for this post.
    • #351212 Reply

      anonymous

      Seems that the update is also causing issues with McAfee.  Installed this months update on several machines and it seems to block virus database updates.  Uninstalled Aprils update and am able to receive McAfee database updates again.

      • #351233 Reply

        anonymous

        Any word on Kaspersky from “beta tester” victims?

        • #351399 Reply

          willygirl
          AskWoody Plus

          Any word on Kaspersky from “beta tester” victims?

           
          Comments at BleepingComputer – somebody reported Kaspersky was also affected on their system. https://www.bleepingcomputer.com/news/microsoft/microsofts-april-2019-updates-are-causing-windows-to-freeze/

          Comment is as follows –
          20 hours ago
 
          “I have a notebook with Windows 10 Home v1809 installed. After installing April 2019 Update, it restarted and crashed right into the repair screen, no longer booting the operating system. I use Kaspersky Internet Security and Malwarebytes Premium, so apparently the list of incompatibilities is higher.”

          Win7 SP1 Home 64-bit; Office 2010; GrpA, when all is said, done and fixed, Mac OSX to help me sleep at night.

          3 users thanked author for this post.
        • #351406 Reply

          jabeattyauditor
          AskWoody Lounger

          Any word on Kaspersky from “beta tester” victims?

          Two laptops at home, both running 1809 and the Kaspersky Free version. No problems with any current updates – fully patched.

          No issues at the office where we use Symantec Endpoint and Dell Threat Defense (re-branded Cylance).

          1 user thanked author for this post.
          • #351505 Reply

            willygirl
            AskWoody Plus

            Any word on Kaspersky from “beta tester” victims?

            Two laptops at home, both running 1809 and the Kaspersky Free version. No problems with any current updates – fully patched. No issues at the office where we use Symantec Endpoint and Dell Threat Defense (re-branded Cylance).

            The comment on BleepingComputer might have referred to their problem being with Malwarebytes because they mentioned that AV also. Or could be the Kaspersky Free version you use isn’t a problem with this Win update. My advice to anyone and as Woody now states, Defcon1, don’t update

            Win7 SP1 Home 64-bit; Office 2010; GrpA, when all is said, done and fixed, Mac OSX to help me sleep at night.

            1 user thanked author for this post.
      • #351333 Reply

        woody
        Da Boss

        Do you have a link to a description?

      • #402094 Reply

        manual
        AskWoody Lounger

        which mcafee? what version?

    • #351262 Reply

      OscarCP
      AskWoody Plus

      OK: I have a PC running Windows 7 Pro, x64 SP1, and am in no hurry to install this month’s Security Only update. Three weeks from now, or even longer, we’ll see. Maybe someone will try to use, before then, Webroot SecurityOnly, the brand of my AV, gets burned doing that, cries out in agony and so lets everyone know, before then.

      In case I missed it: is there anything that makes this particular Security Only update a “must install as soon as possible” one?

      Win 7 (Group B) + M&L

    • #351276 Reply

      Geo
      AskWoody Plus

      I use MSE and Adwcleaner.  No problems with them.

      1 user thanked author for this post.
      • #353075 Reply

        rc primak
        AskWoody_MVP

        Adwcleaner is not active antivirus. It’s a specialized on-demand scanner. It isn’t involved in these issues.

        -- rc primak

    • #351305 Reply

      Rawr
      AskWoody Lounger

      Good thing this issue isn’t prevalent in all AV vendors. I’m not experiencing any issues with ESET AV.

    • #351426 Reply

      anonymous

      Windows 10 Version 1809 Build 17763.437, F-Secure SAFE version 17.5

      All good here, no speed issues after latest updates.

      When was the last time Woody told readers to take a full system backup before updating on Patch Tuesday?  Just asking.

      • #353747 Reply

        anonymous

        “When was the last time Woody told readers to take a full system backup before updating on Patch Tuesday? Just asking.”

        Your question might have been facetious or rhetorical, but it has been Step One in every guide to updating that Woody sends to Computerworld in my limited memory. Recently, for the sake on an example, https://www.computerworld.com/article/3386396/it-s-time-to-install-the-march-windows-and-office-patches.html

        Also, remember that for the current topic of discussion, the updating guide has not been written yet. Big Red MSDEFCON-1 and all that.

        1 user thanked author for this post.
    • #351563 Reply

      joep517
      AskWoody MVP

      It is easy and convenient to bash Microsoft and blame them for the problem. BUT, we do not know and probably never will know the true reason.

      Is it as RC Primak said above that the primary faiult lies with the AV vendors for using undocumented APIs? Is it Microsoft’s fault for introducing a new restriction in a valid API that was not documented and disseminated to the AV vendors? If the AV vendors are using undocumented APIs that is their fault. Any programmer worth their salt knows that an undocumented method can be changed or disabled at any time without notice.

      PK Cano posits that Microsoft should have caught this in testing and notified the vendors. Maybe they did. They may have notified the vendors and the vendors ignored it. Microsoft may not have given the vendors enough time to rectify the situation. The AV vendors are never going to admit fault for that would potentially damage their reuptation(s). It is always easier to blame Microsoft.

      Maybe Microsoft did not catch it. We do not know if this is a general condition for all Avira (and other 3rd party AV) users or if it affects a certain configuration(s) only. There is no way Microsoft can test all the hardware and software configurations. I’m sure they run an automated test suite over hundreds and probably thousands of machines. But that is a mere drop in the bucket of the configrations that can exist.

      --Joe

      6 users thanked author for this post.
      • #353080 Reply

        rc primak
        AskWoody_MVP

        So now that we know all this, what do we do? What should Microsoft do?

        -- rc primak

      • #374947 Reply

        DrBonzo
        AskWoody Lounger

        This is actually a very simple issue.

        Microsoft issued a bad patch. As the issuer of said patch they need to step up and take responsibility for it and get it fixed.

        If an AV vendor had issued a bad patch, then that vendor would need to step up and take responsibility for it and get it fixed.

        If I was an executive at MS I would want to prevent this sort of thing from happening again. In order to do that I would need to know if it was my guy(s) or the other vendor’s guy(s) who made the mistake(s) (realizing that it could well have been a combination of my and their guy(s) who are at fault). But as a customer, I don’t really care about who’s to blame. What I see is that I’m using an MS operating system and applying an MS patch that bricks my computer. Microsoft, you need to get it fixed! Now!

        1 user thanked author for this post.
    • #353968 Reply

      b
      AskWoody Plus

      1809 CU now lists ArcaBit (but not Avira) AV as a known issue:

      Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to freeze or hang upon restart after installing this update.

      We are presently investigating this issue with ArcaBit and will provide an update when available.

      April 9, 2019—KB4493509 (OS Build 17763.437)

      Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

      2 users thanked author for this post.
      • #354263 Reply

        woody
        Da Boss

        How about that….

        Arkabit is a Polish antivirus program. And this particular report doesn’t sound like the slow-as-sludge reports I’ve seen. I bet we have another shoe yet to drop.

    • #354466 Reply

      b
      AskWoody Plus

      Windows 7 updates now have known issues listed for Avira, Avast, AVG, ArcaBit, Sophos:

      (with blocks or guidance links)

      April 9, 2019—KB4493448 (Security-only update)

      April 9, 2019—KB4493472 (Monthly Rollup)

      Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

      2 users thanked author for this post.
    • #362699 Reply

      CyGuy
      AskWoody Plus

      Please forgive my ignorance but this is a bit mind-boggling for civilians.  Does this problem currently affect all versions of Avast (e.g. free) with all versions of Windows 10?

      • #363077 Reply

        PKCano
        Da Boss

        According to the MS pages as of 4/13 am (server time):
        Avira and Sophos are blocked on Win7/8.1, Avast has issued an Emergency Update, and MS is investigating ArcaBib.
        ArcaBit has a known issue for Win10 1809
        I don’t see anything on the Win10 1803 page.

        2 users thanked author for this post.
    • #370239 Reply

      EP
      AskWoody_MVP

      Any word on Kaspersky from “beta tester” victims?

      Two laptops at home, both running 1809 and the Kaspersky Free version. No problems with any current updates – fully patched. No issues at the office where we use Symantec Endpoint and Dell Threat Defense (re-branded Cylance).

      The comment on BleepingComputer might have referred to their problem being with Malwarebytes because they mentioned that AV also. Or could be the Kaspersky Free version you use isn’t a problem with this Win update. My advice to anyone and as Woody now states, Defcon1, don’t update

      I’ve installed the KB4493509 update on my win10 v1809 machine that has just windows defender & Malwarebytes free edition and I am not experiencing any problems with that update. maybe it happens with just Malwarebytes Premium and not the free version.

    • #374982 Reply

      anonymous

      Conjecture: While we debate the blame for allowing or misusing API’s, I notice that there does not seem to be a consistent pattern in the wilderness*. I propose that in addition to the known actors, Microsoft’s OS and many vendor’s security products, there are the unknown actors and their malware. Is it possible that the common element is an agent that afflicts systems only when infected? Doesn’t even have to be blackhat, could be a normally benign agent that is not accounted for in “testing”.

      * I do note there have been large networks that show 100%, or nearly so, rates. Those are also likely to have consistent profiles and cross contamination anyway.

      • #441613 Reply

        rc primak
        AskWoody_MVP

        This is possible, but in my less than expert opinion, doubtful at present.

        Anyway, such a roundabout explanation seems to me to be premature and unnecessary. It violates Occam’s Razor (the simplest explanation is often the correct one).

        -- rc primak

    • #429962 Reply

      abbodi86
      AskWoody_MVP

      https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472

      It seems Avast and ArcaBit had fixed their products

      5 users thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Avira confirms that this month’s Win7 and Win10 patches slow down PCs running their AV products

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel