Windows Meltdown-Spectre Fix: How To Check If Your Av Is Blocking Microsoft Patch

In Category Misc Posted by err0r On 07/22/18 Comments 0

Antivirus firms are gradually adding support for Microsoft's Windows patch for the Meltdown and Spectre attack methods that affect most modern CPUs.

As Microsoft warned this week, it's not delivering its January 3 Windows security updates to customers if they're running third-party antivirus, unless the AV is confirmed to be compatible with it.

Microsoft's testing found some antivirus products were producing errors by making unsupported calls into Windows kernel memory, resulting in blue screen of death (BSOD) errors.

Third-party Windows antivirus products need to support Microsoft's security update and set a Windows registry key for customers to receive the update via Windows Update.

To make matters more confusing, only some antivirus vendors are actually doing both, while others require admins to set the registry key themselves, using Microsoft's instructions. Additionally, some antivirus companies haven't completed compatibility testing.

Microsoft hasn't said which antivirus products are compatible beyond its own Windows Defender and Microsoft Security Essentials. However, security researcher Kevin Beaumont has created a public spreadsheet that may help IT admins prepare for installing Microsoft's mitigations for the attack techniques that affect CPUs from Intel, AMD and Arm, albeit to differing degrees.


Third-party Windows antivirus products need to support Microsoft's security update and set a Windows registry key for customers to receive the update via Windows Update.

Trend Micro says its products Trend Micro OfficeScan, Worry-Free Business Security, and Deep Security are affected by Microsoft's new requirement for vendors to verify compatibility with the patch. While the company has completed testing and confirmed compatibility, customers who rely on Windows Update currently need to set the registry key themselves.

It hasn't completed compatibility testing for all its products yet because Microsoft released the patch earlier than expected, according to Trend Micro. The company had been targeting the expected Patch Tuesday on January 9 rather than January 3. As such, the company is currently working on setting the registry in its products.

Others that have confirmed compatibility but haven't set the registry key in their products include CrowdStrike, Endgame, McAfee, and SentinelOne. Microsoft offers separate instructions for setting the registry key on Windows Server and Windows clients.

Antivirus firms that have confirmed compatibility and set the registry keys in their products include Avast, Avira, EMSI, ESET, F-Secure, Kaspersky, and Malwarebytes.

Symantec is also in this second group but some customers have reported that the Symantec Endpoint Protection (SEP) tray icon is reporting "multiple problems" after applying Microsoft's update and Symantec's updated Erasure engine.

"On January 4, 2018, Symantec released an updated Eraser engine to ensure compatibility with the Microsoft out-of-band update that had been released the previous day. While this engine update resolves the compatibility issues it was meant to address, some environments have reported issues with the SEP system tray icon after applying both updates," Symantec says in a support note.

Applying operating system updates and dealing with antivirus compatibility issues are only half the solution.

Read full article @


View Forum Post & Comments