[German]Microsofts updates for Windows, released on April 9, 2019, are causing issues in Windows 7, Windows 8.1 and Windows 10, if third party antivirus software from Sophos, AVAST and Avira is installed.
I had blogged Tuesday/Wednesday night about the updates, Microsoft released on patchday (April 9, 2019) – see the links at the end of the article. But then my blog went down, now, after a day, I’m able to bring things together.
KB4493472 for Windows 7/Windows Server 2008 R2
Update KB44493472 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) is a security update that contains improvements and bug fixes that were already included in the previous month’s update. The update addresses a number of issues, including updating protection against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) on VIA-based systems.
Furthermore the kernel is patched in win32k.sys and the IE 11 in WININET.DLL. Personally, I would not have installed this update, but rather installed the security-only update KB4493448 after waiting a few days of time.
Block all April 9, 2019 Windows updates
Shortly after release I received some user comments within my German article Patchday: Updates für Windows 7/8.1/Server (9. April 2019):
That went right through the absys. We currently have massive problems with Windows 7 clients that have installed all updates: After the reboot the computer stops at “Updates will be configured”.
Remove update doesn’t work, only rolling back to the last restore point, which is created automatically.
Good morning, everyone,
I just wanted to point out that after the above mentioned updates at my 2 VM´s with Windows Server 2008 R2 the machines stopped for more than 1.5 hours at “Configure Updates”.
The VM´s are running under VMware vSphere 6.5.0, 9298722.
I can’t say anything about the exact cause. I will now restore the machines from the backup.
So please be careful that you don’t have to do this in the early morning.
SAV service hangs after installing KB4493472
Last night one of my Windows 2008R2 servers hung after installing Microsoft patch KB4493472. After initial examination I discovered that SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.
The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.
I rebooted the server in to safe mode and disabled the Sophos services. After this, I was able to reboot normally. Then I uninstalled Sophos, rebooted and tried to install again but this time the installation didn’t complete and the server hang again. I rebooted again in safe mode, disabled services, rebooted and uninstalled sophos again. After checking the Windows logs I realised that the server had installed update KB4493472 last night. I uninstalled the patch, rebooted and installed sophos again. This time there was no problem.
Currently we are trying to unauthorise KB4493472 on our update system.
Is there any known issues with KB4493472 on Windows Server 2008R2?
The Sophos support article, Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update, dated of 11 April 2019, is now online. The following updates will cause install issues:
- KB4493467 (Security-only update)
- KB4493446 (Monthly Rollup)
- KB4493448 (Security-only update)
- KB4493472 (Monthly Rollup)
- KB4493450 (Security-only update)
- KB4493451 (Monthly Rollup)
for the following versions of Windows, if Sophos Endpoint Security and Control or Sophos Central Endpoint Standard/Advanced is installed:
- Windows 7
- Windows 8.1
- Windows 2008 R2
- Windows 2012
In the support article, Sophos also gives hints on what those affected can do. You should avoid restarting when the patch has been installed. Instead, uninstall the update immediately. If this is not possible, boot the machine into safe mode and uninstall the update. Should fix the problem.
At askwoody.com there is a hint that users report the same problem with AVAST. So be careful! Also at Heise someone has reported issues with AVAST.
Administrators should block these updates in WSUS for clients and servers. Client users should block the update installation in Windows Update. Also Update KB4493435 seems to be critical.
Windows 8.1 and Windows 10 also affected
Meanwhile I have several reader comments, pointing out, that also Windows 10 cumulative updates are problematic, if Sophos is installed. Here is a list of updates to avoid:
Windows 10 1709: KB4493441
Windows 10 1803: KB4493464
Windows 10 1809: KB4493509
Windows 10 1903: KB4495666
And if you run Windows 10 V1507 Enterprise LTSC or Windows 10 V1607 Enterprise or Windows Server 2016/2019, the related updates are also affected. I got also the feedback, that Windows 8.1 users and thus Windows Server 2012/R2 instances are also affected by the issue. Some comments confirms updates KB4493446 (Rollup) and KB4493467 (Security-only) as critical. It also seems to affect systems with AVAST and AVIRA antivirus.