Windows issues with April Updates and AV-Programs–root cause known

[German]A little addendum to the April patchday issues in Windows, which were caused by third party antivirus scanners. In the meantime, the root cause for this behavior is known.

Antivirus software causes issues with April updates

Windows users had significant issues with the security updates for Windows released on April 9, 2019.

• Shortly after the release of the April 2019 updates, there were reports worldwide that the systems with Windows 7 and Windows Server 2008 R2 were freezing during the update installation.
• Later it became known that the problems also affect Windows 8.1 and Windows Server 2012 R2 as well as Windows Server 2008.
• Windows 10 users has also reported these issues through updates. This ranges from an extreme slowdown to context menus no longer works.

Vendor, Sophos, quickly confirmed that there are problems when Sophos Endpoint Security and Control or Sophos Central Endpoint Standard/Advanced are installed. The following versions of Windows were affected.

• Windows 7
• Windows 8.1
• Windows 2008 R2
• Windows 2012

Later, confirmations from the antivirus vendors Avira, Avast and Mc Afee were added. Microsoft has also documented the problems associated with its April 9, 2019 update in its support articles on updates (see KB4493467 for Windows 8.1, for example). At the same time, Redmond had stopped the delivery of updates on systems where affected antivirus products were installed. I had reported about these problems in several blog posts (see linked posts at the end of the article). Sophos hasn't, according to this article, provides a solution (just a workaround) till yet. And the updates are blocked further. Meanwhile, the other affected AV vendors have released updates for their products that work with the affected Windows updates.

But what was the root cause?

It was unclear to me, as an outside observer, why it hit the AV providers and who was 'to blame'. I can't answer the question 'who was to blame', but the root cause is now known. Antivirus vendor Mc Afee has covered it in a single sentence in this statement:

Changes in the Windows April 2019 updates for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS.

The Client Server Runtime Subsystem (csrss.exe) is responsible for the administration of the command line and the starting and stopping of processes and threads in the current Windows versions. As the only system component, csrss.exe is marked as a "critical process", the unexpected termination of which leads to an immediate crash of the system. The abbreviation ENS stands forMc Afee Endpoint Security.

A change to the Client Server Runtime Subsystem (CSRSS) caused by the April 2019 updates has resulted in a situation that ends in a dead lock with the antivirus products. Dead lock is a situation where two processes wait for each other to release a resource (e.g. a file). So the processes block each other. Arstechnica describes it here: The antivirus applications try to gain access to a resource, but they are prevented from doing so because they have already gained exclusive access to the resource.

Ultimately, it's up to the AV programs and defining exceptions for the scan, where the AV program directories are excluded, helped as a workaround. The updated versions of the antivirus products take this into account so that the dead lock no longer occurs and the Windows updates can be installed.

Similar articles:
April 2019 updates freezes Windows 7, 8.1, 10 & Server
Windows 10 V1809: Slow down with Update KB4493509?
AVAST and Avira confirms April 2019 Update issues
Windows patchday issues–one week later (April 17, 2019)
Windows 7: Mc Afee is causing issues with April Updates