Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch

Antivirus firms are playing patch catch-up, as Microsoft releases Meltdown firmware updates for Surface devices.

Antivirus firms are gradually adding support for Microsoft's Windows patch for the Meltdown and Spectre attack methods that affect most modern CPUs.

As Microsoft warned this week, it's not delivering its January 3 Windows security updates to customers if they're running third-party antivirus, unless the AV is confirmed to be compatible with it.

Microsoft's testing found some antivirus products were producing errors by making unsupported calls into Windows kernel memory, resulting in blue screen of death (BSOD) errors.

Third-party Windows antivirus products need to support Microsoft's security update and set a Windows registry key for customers to receive the update via Windows Update.

See: 50 time-saving tips to speed your work in Microsoft Office (free PDF)

To make matters more confusing, only some antivirus vendors are actually doing both, while others require admins to set the registry key themselves, using Microsoft's instructions. Additionally, some antivirus companies haven't completed compatibility testing.

Microsoft hasn't said which antivirus products are compatible beyond its own Windows Defender and Microsoft Security Essentials. However, security researcher Kevin Beaumont has created a public spreadsheet that may help IT admins prepare for installing Microsoft's mitigations for the attack techniques that affect CPUs from Intel, AMD and Arm, albeit to differing degrees.

windowspatchav.png

Third-party Windows antivirus products need to support Microsoft's security update and set a Windows registry key for customers to receive the update via Windows Update.

Image: Kevin Beaumont

Trend Micro says its products Trend Micro OfficeScan, Worry-Free Business Security, and Deep Security are affected by Microsoft's new requirement for vendors to verify compatibility with the patch. While the company has completed testing and confirmed compatibility, customers who rely on Windows Update currently need to set the registry key themselves.

It hasn't completed compatibility testing for all its products yet because Microsoft released the patch earlier than expected, according to Trend Micro. The company had been targeting the expected Patch Tuesday on January 9 rather than January 3. As such, the company is currently working on setting the registry in its products.

Others that have confirmed compatibility but haven't set the registry key in their products include CrowdStrike, Endgame, McAfee, and SentinelOne. Microsoft offers separate instructions for setting the registry key on Windows Server and Windows clients.

Antivirus firms that have confirmed compatibility and set the registry keys in their products include Avast, Avira, EMSI, ESET, F-Secure, Kaspersky, and Malwarebytes.

Symantec is also in this second group but some customers have reported that the Symantec Endpoint Protection (SEP) tray icon is reporting "multiple problems" after applying Microsoft's update and Symantec's updated Erasure engine.

"On January 4, 2018, Symantec released an updated Eraser engine to ensure compatibility with the Microsoft out-of-band update that had been released the previous day. While this engine update resolves the compatibility issues it was meant to address, some environments have reported issues with the SEP system tray icon after applying both updates," Symantec says in a support note.

Applying operating system updates and dealing with antivirus compatibility issues are only half the solution.

As Microsoft noted previously, mitigating Meltdown and Spectre also requires installing firmware updates from hardware vendors.

While the operating system updates address Meltdown, Spectre fixes rely on firmware updates from hardware vendors that implement microcode fixes from chip vendors. In Intel's case, its microcode update introduces its Indirect Branch Prediction Side Channel Analysis Method.

Microsoft has released this firmware in the form of UEFI updates for the Surface Pro 3, Surface Pro 4, Surface Book, Surface Studio, Surface Pro Model 1796, Surface Laptop, Surface Pro with LTE Advanced, and Surface Book 2.

"The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center," says Microsoft.

Google has devised its own software alternative mitigation for the microcode fix using a technique called Retpoline. This addresses one of two Spectre attacks known as "branch target injection".

Previous and related coverage

Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus

Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows.

Critical flaws revealed to affect most Intel chips since 1995

Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are "going to haunt us for years."

Apple confirms iPhone, Mac affected by Meltdown-Spectre vulnerabilities

The iPhone maker has confirmed all Mac systems and devices running iOS are affected by the vulnerabilities, but also said there are currently no known exploits.

Google reveals trio of speculative execution flaws, says AMD affected

CPUs can leak data when unwinding unused speculative execution paths.

Major Linux redesign in the works to deal with Intel security flaw

A serious security memory problem in all Intel chips has led to Linux's developers resetting how to deal with memory. The result will be a more secure, but -- as Linux creator Linus Torvalds says -- slower operating system.

Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems

The faulty design has been present in chips for years and it will force a redesign of the Linux and Windows kernels.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All