Loading...

Slow performance after applying Microsoft Windows April 2019 updates or later Microsoft monthly updates on a system with VirusScan Enterprise installed
Artigos técnicos ID:   KB91467
Última modificação:  6/14/2019
Classificação:


Ambiente

McAfee VirusScan Enterprise (VSE) 8.8

For affected Microsoft Windows versions, see KB91476.
Microsoft Windows April 2019 update KBs

Resumo

Recent updates to this article
Date Update
June 13, 2019 Updated "Option 1" under Solution.
May 17, 2019 Updated title to Microsoft April 2019 updates and later due to Microsoft article:
https://support.microsoft.com/en-us/help/4499164/windows-7-update-kb4499164
Option 1 updated.
May 1, 2019 Added a workaround.
April 26, 2019 Updated the Environment field.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Problema

After you apply the Windows April 2019 update or later KBs, you experience slow performance on systems with VSE installed.

Causa

With the Windows April 2019 updates, the Client Server Runtime Subsystem (CSRSS) operating system process CSRSS.EXE performs file I/O more frequently while it fulfills LoadLibrary requests from other processes. This new behavior introduces deadlocks in the Threat Intelligence Exchange (TIE) module for VSE.

To identify systems with the TIE module for VSE in ePO:
  1. Log on to the ePO console. 
  2. Open the menu, and under Reporting, select Queries and Reports
  3. Select New Query.
  4. In the left menu, select System Management.
  5. For the Result type, select Managed System.
  6. Click Next.
  7. For the Chart type, select Table.
  8. Click Next.
  9. Choose any additional columns you want for this report.
  10. Click Next.
  11. Add the Product Version (VirusScan Enterprise) filter.
  12. Click the filter drop-down, select Greater than or Equals, and set the value as 1.
  13. Add the Product Version (Threat Intelligence Exchange module for VSE) filter.
  14. Click the filter drop-down, select Greater than or Equals, and set the value as 1.
  15. Click Run. The systems listed in the results, if any, have the TIE module for VSE installed.
To identify systems with the TIE module for VSE locally:
  1. From the Windows notification area, right-click the McAfee icon and click About.
  2. Check whether Threat Intelligence Exchange module for VSE is listed.

Solução

If no systems have the TIE module for VSE:
There are no reported conflicts with VSE and the Windows April 2019 updates. 

If systems have the TIE module for VSE:
  • Option 1: This issue is resolved in VSE 8.8 Patch 13 release (General Availability).
    McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

    NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

     
  • Option 2: Uninstall the TIE module for VSE from clients before applying the Windows April 2019 updates.
  • Option 3: If already impacted by slow performance after you apply the Windows April 2019 updates, consider performing the temporary workaround described in this article to prevent scanning on read file activity from c:\windows\system32\csrss.exe.

Solução alternativa

The following workaround is optional; only use it temporarily to mitigate the impact of the issue until the VSE fix can be applied.

This workaround prevents scanning on read file activity from c:\windows\system32\csrss.exe.

IMPORTANT: Before you perform this workaround, carefully assess the risk in your environment because this setting can lower your security posture. McAfee recommends that you remove this workaround after you apply the VSE fix.

To prevent scanning on read file activity from csrss.exe in ePO:
  1. In the On-Access Default Processes Policies VSE policy, select Configure different scanning policies for high-risk, low-risk, and default processes.
  2. Modify the On-Access Low-Risk Processes Policies policy to include csrss.exe and to not scan when reading from disk.
  3. Apply this policy.
NOTE: Only apply this policy to systems running affected Windows operating systems.
 
To prevent scanning on read file activity from csrss.exe locally:
  1. From the VirusScan console, open On-Access Scanner settings.
  2. Select All Processes. But, if the option is named Default Processes go to step 4.
  3. Select Configure different scanning policies and click Apply.
  4. Select Low-Risk processes.
  5. Add csrss.exe.
  6. Click the Scan Items tab.
  7. Deselect When reading from disk.
  8. Click Apply.

Classificar este documento

Beta Translate with

Select a desired language below to translate this page.

Idiomas:

Este artigo está disponível nos seguintes idiomas:

English United States
Japanese

Glossário de termos técnicos


 Realçar termos do glossário

Reserve alguns momentos para navegar por nosso Glossário de termos técnicos.