AVs: The Windows update that broke them all!

OK, maybe not all of them, but here’s the story..

Last month Microsoft released its usual OS updates to Windows on what is known to be Patch Tuesday. Not long after reports started to appear regarding machines freezing that are unable to load after a reboot. It turned out to be an issue with several security vendors and their Antivirus software that caused it, leading Microsoft to suspend updates to machines with specific AV products to prevent breaking more computers.

Who was affected?

Unlike similar issues, these seem to depend on the update installed, the OS version and what AV product is installed, as it affected Windows 7, 8.1 and 10, including some of their server counterparts, though not all (for a complete list) and for products from Sophos, Avira, Avast, ArcaBit and later McAfee was confirmed to suffer from these issues.

Why did it happen?

Unlike most software install on your machine, Antivirus products and similar security products integrate into the OS tightly and use undocumented and unsafe functionality that could break with each update of the OS. In this case, Avira and McAfee claim that Microsoft modified an internal component called CSRSS which manages Win32 applications and the change caused a deadlock (a condition where two or more operations wait indefinitely to the same resource to become free which causes the “freeze”)

Do all security products suffer from these problems?

Most of them yes, and such changes reveal to the surface these bugs, since they’re heavily operating in kernel-mode but there’s a vendor with a solution that won’t suffer from such problems. Deceptive Bytes’ Active Endpoint Deception solution operates in user-mode using documented APIs, so it’s far more stable and doesn’t break the system when the OS updates.

If you’d like to learn more about Deceptive Bytes and how we help organizations prevent advanced threats (without breaking your OS), just contact us or request a demo