Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com)

Posted by msmash on from the my-way-or-highway dept.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.

7 of 136 comments (clear)

  1. Windows Server by DigiShaman · · Score: 4, Informative

    Remember,

    For Windows Server, you will need to also set the following three registry keys to enable post patch install. With Windows Home/pro, it's already enabled after installation.

    For Windows Server.

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    To Validate status, you can run the PowerShell command Get-SpeculationControlSettings.

    If Windows 10 or Server 2016, you can skip the first step.

    1. Set-ExecutionPolicy Bypass
    2. Install-Module SpeculationControl
    3. Get-SpeculationControlSettings
    You will now see results.
    4. Set-ExecutionPolicy Restricted (to protect the system via securing powershell again)

    Good luck. Be sure to apply BIOS updates when and if applicable to stave off Spectre

    --
    Life is not for the lazy.
  2. Legitimate decision. by Gravis+Zero · · Score: 5, Interesting

    It pains me to side with Microsoft but their decision here is a good and legitimate one.

    The key to it's legitimacy is this quote:

    There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.

    --
    Anons need not reply. Questions end with a question mark.
  3. Re:Something wrong here by StormReaver · · Score: 5, Informative

    You do know that you can just disable the Windows Update service right?

    Microsoft frequently ignores that setting.

  4. Re:Now windows malware will mess with that key to by bondsbw · · Score: 4, Insightful

    You have bigger problems than a registry key if the malware has root.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  5. Re:No AV - No Updates? by sinij · · Score: 4, Funny

    So what happens if I don't install any AV-product and also don't use the Microsoft AV-Solution?

    It is highly unreasonable to expect MS to be able to patch your Linux box. :P

  6. Re:Now windows malware will mess with that key to by Skuld-Chan · · Score: 4, Informative

    If malware can set this reg key - your machine is already done (its only writable by system/admin).

  7. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion