Loading...

Knowledge Center

Slow performance after applying Microsoft Windows April 2019 updates or later Microsoft monthly updates on a system with VirusScan Enterprise installed
Technical Articles ID:   KB91467
Last Modified:  5/17/2019
Rated:

Environment

McAfee VirusScan Enterprise (VSE) 8.8

For affected Microsoft Windows versions, see KB91476.
Microsoft Windows April 2019 update KBs

Summary

Recent updates to this article
Date Update
May 17, 2019 Updated title to Microsoft April 2019 updates and later due to Microsoft article:
https://support.microsoft.com/en-us/help/4499164/windows-7-update-kb4499164
Option 1 updated.
May 1, 2019 Added a workaround.
April 26, 2019 Updated the Environment field.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Problem

After you apply the Windows April 2019 update or later KBs, you experience slow performance on systems with VSE installed.

Cause

With the Windows April 2019 updates, the Client Server Runtime Subsystem (CSRSS) operating system process CSRSS.EXE performs file I/O more frequently while fulfilling LoadLibrary requests from other processes. This new behavior introduces deadlocks in the Threat Intelligence Exchange (TIE) module for VSE.

To identify systems with the TIE module for VSE in ePO:
  1. Log on to the ePO console. 
  2. Open the menu, and under Reporting, select Queries and Reports
  3. Select New Query.
  4. In the left menu, select System Management.
  5. For the Result type, select Managed System.
  6. Click Next.
  7. For the Chart type, select Table.
  8. Click Next.
  9. Choose any additional columns you want for this report.
  10. Click Next.
  11. Add the Product Version (VirusScan Enterprise) filter.
  12. Click the filter drop-down, select Greater than or Equals, and set the value as 1.
  13. Add the Product Version (Threat Intelligence Exchange module for VSE) filter.
  14. Click the filter drop-down, select Greater than or Equals, and set the value as 1.
  15. Click Run. The systems listed in the results, if any, have the TIE module for VSE installed.
To identify systems with the TIE module for VSE locally:
  1. From the Windows notification area, right-click the McAfee icon and click About.
  2. Check whether Threat Intelligence Exchange module for VSE is listed.

Solution

If no systems have the TIE module for VSE:
There have not been any reported conflicts with VSE and the Windows April 2019 updates. 

If systems have the TIE module for VSE:
  • Option 1: This issue is resolved in VSE 8.8 Patch 13, which is Released to Support (RTS) and is available by contacting Technical Support.
    To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
    • If you are a registered user, type your User Id and Password, and then click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

     
  • Option 2: Uninstall the TIE module for VSE from clients before applying the Windows April 2019 updates.
  • Option 3: If already impacted by slow performance after applying the Windows April 2019 updates, consider performing the temporary workaround described in this article to prevent scanning on read file activity from c:\windows\system32\csrss.exe.

Workaround

The following workaround is optional; only use it temporarily to mitigate the impact of the issue until the VSE fix can be applied.
This workaround prevents scanning on read file activity from c:\windows\system32\csrss.exe.

IMPORTANT: Before you perform this workaround, carefully assess the risk in your environment because this setting can lower your security posture. McAfee recommends that you remove this workaround after you apply the VSE fix.

To prevent scanning on read file activity from csrss.exe in ePO:
  1. In the On-Access Default Processes Policies VSE policy, select Configure different scanning policies for high-risk, low-risk, and default processes.
  2. Modify the On-Access Low-Risk Processes Policies policy to include csrss.exe and to not scan when reading from disk.
  3. Apply this policy.
NOTE: Only apply this policy to systems running affected Windows operating systems.
 
To prevent scanning on read file activity from csrss.exe locally:
  1. From the VirusScan console, open On-Access Scanner settings.
  2. Select All Processes. But, if the option is named Default Processes go to step 4.
  3. Select Configure different scanning policies and click Apply.
  4. Select Low-Risk processes.
  5. Add csrss.exe.
  6. Click the Scan Items tab.
  7. Deselect When reading from disk.
  8. Click Apply.

Related Information

For details about the fix for CSRSS included in the Windows April 2019 updates, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0735.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.