Slow performance after applying Microsoft Windows April 2019 updates or later Microsoft monthly updates on a system with VirusScan Enterprise installed

Technical Articles ID: KB91467
Last Modified: 6/14/2019

Environment

McAfee VirusScan Enterprise (VSE) 8.8

For affected Microsoft Windows versions, see KB91476.
Microsoft Windows April 2019 update KBs

Summary

Recent updates to this article

Date	Update
June 13, 2019	Updated "Option 1" under Solution.
May 17, 2019	Updated title to Microsoft April 2019 updates and later due to Microsoft article: https://support.microsoft.com/en-us/help/4499164/windows-7-update-kb4499164 Option 1 updated.
May 1, 2019	Added a workaround.
April 26, 2019	Updated the Environment field.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Problem

After you apply the Windows April 2019 update or later KBs, you experience slow performance on systems with VSE installed.

Cause

With the Windows April 2019 updates, the Client Server Runtime Subsystem (CSRSS) operating system process CSRSS.EXE performs file I/O more frequently while it fulfills LoadLibrary requests from other processes. This new behavior introduces deadlocks in the Threat Intelligence Exchange (TIE) module for VSE.

To identify systems with the TIE module for VSE in ePO:

Log on to the ePO console.
Open the menu, and under Reporting, select Queries and Reports.
Select New Query.
In the left menu, select System Management.
For the Result type, select Managed System.
Click Next.
For the Chart type, select Table.
Click Next.
Choose any additional columns you want for this report.
Click Next.
Add the Product Version (VirusScan Enterprise) filter.
Click the filter drop-down, select Greater than or Equals, and set the value as 1.
Add the Product Version (Threat Intelligence Exchange module for VSE) filter.
Click the filter drop-down, select Greater than or Equals, and set the value as 1.
Click Run. The systems listed in the results, if any, have the TIE module for VSE installed.

To identify systems with the TIE module for VSE locally:

From the Windows notification area, right-click the McAfee icon and click About.
Check whether Threat Intelligence Exchange module for VSE is listed.

Solution

If no systems have the TIE module for VSE:
There are no reported conflicts with VSE and the Windows April 2019 updates.

If systems have the TIE module for VSE:

Option 1: This issue is resolved in VSE 8.8 Patch 13 release (General Availability).

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.
Option 2: Uninstall the TIE module for VSE from clients before applying the Windows April 2019 updates.
Option 3: If already impacted by slow performance after you apply the Windows April 2019 updates, consider performing the temporary workaround described in this article to prevent scanning on read file activity from c:\windows\system32\csrss.exe.

Workaround

The following workaround is optional; only use it temporarily to mitigate the impact of the issue until the VSE fix can be applied.

This workaround prevents scanning on read file activity from c:\windows\system32\csrss.exe.

IMPORTANT: Before you perform this workaround, carefully assess the risk in your environment because this setting can lower your security posture. McAfee recommends that you remove this workaround after you apply the VSE fix.

To prevent scanning on read file activity from csrss.exe in ePO:

In the On-Access Default Processes Policies VSE policy, select Configure different scanning policies for high-risk, low-risk, and default processes.
Modify the On-Access Low-Risk Processes Policies policy to include csrss.exe and to not scan when reading from disk.
Apply this policy.

NOTE: Only apply this policy to systems running affected Windows operating systems.

To prevent scanning on read file activity from csrss.exe locally:

From the VirusScan console, open On-Access Scanner settings.
Select All Processes. But, if the option is named Default Processes go to step 4.
Select Configure different scanning policies and click Apply.
Select Low-Risk processes.
Add csrss.exe.
Click the Scan Items tab.
Deselect When reading from disk.
Click Apply.

Related Information

For details about the fix for CSRSS included in the Windows April 2019 updates, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0735.

Affected Products

Known Issue/Product Defect
Threat Intelligence Exchange Module for VirusScan Enterprise
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Environment

Summary

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Knowledge Center

Environment

Summary

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title