Microsoft blocking updates for none compliant antivirus softwate

[vorticalbox]

Quote

Last week, Microsoft issued January’s cumulative security fixes for January 2018. Although the media focus has been around “Meltdown” and “Spectre” CPU fixes, these patches also include a range of important security fixes — including patches to SMB server.

 

These updates came with many caveats, and the Microsoft knowledge base articles have had extensive edits since publishing. There’s some really important things you should know before trying to apply the patches.

 

The main thing to know is the January patches, and currently all future security patches, will not install unless antivirus vendors take action — and some don’t want to or feel they cannot

 

 

Quote

There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.

 

So now to the important part

 

Quote

In order to combat this Microsoft have requested Anti-Virus vendors to add a registry key every time they startup, to certify their product is working with the CPU fixes:

 

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

 

You’ll find this bit very important:

“Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key”

 

Be sure to check that your AV solution is compatible with the Windows updates else you could end up in a bad situation. 

 

I find it rather annoying that Microsoft is taking such a hard stance that could leave lots of people in a bad place but I also understand the importance of defending against meltdown related attacks. 

 

What do you guys think about Microsoft's move to block all windows update, Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).

 

https://doublepulsar.com/important-information-about-microsoft-meltdown-cpu-security-fixes-antivirus-vendors-and-you-a852ba0292ec

 

 

List of compatible vendors 

Avast,

AVG,

Avira,

Bitdefender,

ESET,

F-Secure,

Kaspersky,

Malwarebytes,

Sophos,

Symantec.

 

Expected soon

McAfee,

TrendMicro,

Webroot

[ItsMitch]

What if people dont use any kind of AV? I only use Malwarebytes atm

[vorticalbox]

1 minute ago, SC2Mitch said:

What if people dont use any kind of AV? I only use Malwarebytes atm

I believe scaners are ok because they just scan files against a signature, however it might be wise to check with the provider. 

[Mira Yurizaki]

1 minute ago, vorticalbox said:

I find it rather annoying that Microsoft is taking such a hard stance that could leave lots of people in a bad place but I also understand the importance of defending against meltdown related attacks.

I'm having an even more hard time believing lots of AV software are trustworthy, considering some things they could be doing to the OS in order to make sure apps are not doing anything malicious. Ars Technica had some pretty good articles on it:

• https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/
• https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/

And then there was this comment:

Quote

Honestly, there seems to be an inherent risk with adding another third-party to your system that has unfettered access to your file system. If you choose to use Windows Defender, then the responsibility remains solely with the same maker as the OS. Once you add a third party, you're hoping they stay on the top of their game with security, too.

But granted, depending on who the user is, AV may be necessary

Quote

Security researcher/malware reverse engineer here.

Unfortunately, it's not so simple. It happens every time: dispensing simplistic advice to arbitrary security problems. "Use Tor and you will be safe!" "Don't use AV!" etc.

We have to go back to the basics: threat modelling 101. Before you take any action with regards to security figure out: 1) What are you trying to protect? 2) Who are you protecting it from? Who is the potential adversary? 3) What methods, tools, techniques and procedures (TTP) your adversary typically use?
This is not proper threat modelling, but enough to get started and once you answered these questions you have much better idea what tools to use or not use and *why*.
Don't listen to security soothsayers. Think for yourself.

On the specific issue at hand: AV is a massive attack surface when it comes to targeted attacks (processing untrusted, malicious input without any sort of sandboxing, breaking memory corruption mitigations etc.), however if targeted attack is not a concern, then you probably don't need to worry too much: the AV ecosystem is extremely diverse it's simply not worth developing exploits for arbitrary AV products, it's still much better ROI to use phising or IE, Flash exploits.
In practice, AV exploits just aren't used to drop malware, on the other hand users unwittingly downloading malware which is stopped by AV happens regularly.

I personally don't use any AV product nor am I advocating for AV, but this hysteria is similar to worrying about airbags in cars and deciding not to use one because you read a news piece about airbag causing fatality.

 

Either way, I can't really trust AVs any more than the OS.

[Bouzoo]

As I see it, every big name out there has added it, except McAfee, which I find quite bizarre if we're honest, but at least it's coming soon. Why I find that bizarre, and even problematic, is because it's owned by Intel who is taking the impact the hardest and because I know few very big corporations that are using it. 

[Guest]

9 minutes ago, vorticalbox said:

Be sure to check that your AV solution is compatible with the Windows updates else you could end up in a bad situation.

I don't consider myself a target for this kinda complicated way of hacking into a computer. So I will keep not updating windows. Has worked perfectly for decades now. (specific additions to windows are not included in this statement, an example would be an SP which is needed to get functionality from other software/games/hardware)

[mr moose]

14 minutes ago, vorticalbox said:

I find it rather annoying that Microsoft is taking such a hard stance that could leave lots of people in a bad place but I also understand the importance of defending against meltdown related attacks.

 

 

It really is the AV makers job to ensure their software stays upto date with the OS,  it's not like the OS is changing for arbitrary reasons and OS security cannot wait for third parties.  

[Mira Yurizaki]

5 minutes ago, Dutch-stoner said:

I don't consider myself a target for this kinda complicated way of hacking into a computer. So I will keep not updating windows. Has worked perfectly for decades now. (specific additions to windows are not included in this statement, an example would be an SP which is needed to get functionality from other software/games/hardware)

You don't need any valuable data to be considered a target. If someone wants to turn your computer into a botnet, the fact you have a computer on the internet is all they need.

[samcool55]

1 minute ago, mr moose said:

 

It really is the AV makers job to ensure their software stays upto date with the OS,  it's not like the OS is changing for arbitrary reasons and OS security cannot wait for third parties.  

But for some reason this was never an issue in the first place. It actually still isn't an issue on Windows 7 for example which will also get a fix so it's not like the situation is that much different

.

It's only windows 10 that has this issue (and it's not the first time AV's are angry with W10 or vica versa) and also windows defender is strongly integrated with the OS, so much in fact you can't get rid of it and disabling only works for a short time because it enables again when it gets an update, it all adds up doesn't it?

[vorticalbox]

2 minutes ago, samcool55 said:

windows defender is strongly integrated with the OS, so much in fact you can't get rid of it and disabling only works for a short time because it enables again when it gets an update, it all adds up doesn't it?

When you install a new AV solution Windows defender goes into passive mode and only does routine scans. 

[mr moose]

4 minutes ago, samcool55 said:

But for some reason this was never an issue in the first place. It actually still isn't an issue on Windows 7 for example which will also get a fix so it's not like the situation is that much different

.

It's only windows 10 that has this issue (and it's not the first time AV's are angry with W10 or vica versa) and also windows defender is strongly integrated with the OS, so much in fact you can't get rid of it and disabling only works for a short time because it enables again when it gets an update, it all adds up doesn't it?

I'm not sure I understand why defender being a part of the OS makes the danger of third party software bypassing Kernel Patch Protection any less real.   This was never an issue in the first place because their wasn't an exploitable bug in the CPU that needed addressing.

 

 

[TetraSky]

I guess this explains why I haven't gotten that update.

AVG Internet Security 2016.

 

Honestly, the only reason I use a security suite/anti virus, is for the easy to use firewall, so I can prevent and allow softwares from accessed the internet quickly and easily... And to block when a software that really has no reason to access it yet ask for it to show ads or to send my data to some server.

[Stefan1024]

Great, at least we have an option now to disable all updates.

No more forced updates, that's like a delayed christmas gift! /s

[vorticalbox]

21 minutes ago, TetraSky said:

I guess this explains why I haven't gotten that update.

AVG Internet Security 2016.

 

Honestly, the only reason I use a security suite/anti virus, is for the easy to use firewall, so I can prevent and allow softwares from accessed the internet quickly and easily... And to block when a software that really has no reason to access it yet ask for it to show ads or to send my data to some server.

Then why not just install a firewall  comodo firewall is best in industry 

[leadeater]

1 hour ago, M.Yurizaki said:

I'm having an even more hard time believing lots of AV software are trustworthy, considering some things they could be doing to the OS in order to make sure apps are not doing anything malicious. Ars Technica had some pretty good articles on it:

• https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/
• https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/

And then there was this comment:

But granted, depending on who the user is, AV may be necessary

 

Either way, I can't really trust AVs any more than the OS.

I just use the inbuilt Microsoft AV, quite a few security experts who don't work for AV companies advise the same thing.

[vorticalbox]

7 hours ago, leadeater said:

I just use the inbuilt Microsoft AV, quite a few security experts who don't work for AV companies advise the same thing.

It's actually getting rather high scores in AV tests like 98-100 % 

[BillyCool]

8 hours ago, TetraSky said:

I guess this explains why I haven't gotten that update.

AVG Internet Security 2016.

 

Honestly, the only reason I use a security suite/anti virus, is for the easy to use firewall, so I can prevent and allow softwares from accessed the internet quickly and easily... And to block when a software that really has no reason to access it yet ask for it to show ads or to send my data to some server.

Simplest one, using Windows built-in firewall.

https://www.sordum.org/8125/firewall-app-blocker-fab-v1-6/

[vorticalbox]

4 minutes ago, BillyCool said:

Simplest one, using Windows built-in firewall.

https://www.sordum.org/8125/firewall-app-blocker-fab-v1-6/

Windows firewall can be changed with admin rights on a pc.

 

If you set up something like xampp it will ask to auto add rules then the firewall doesn't even ask for confirmation.

[leadeater]

1 hour ago, vorticalbox said:

It's actually getting rather high scores in AV tests like 98-100 % 

A lot of a security people that recommend it come from the perspective of who better to know how to properly protect the system than the people who created it in the first place. They will know the most efficient and least resource intensive way to do things and what is and isn't normal.

 

I find a lot of the AV test/rank stuff more designed to try and sell AV software than to actually test how good they are and if it would have protected a user in front of the machine using it at the time. Most things tend to be any AV would have caught it or none would have helped anyway.

[Nowak]

Just checked to see if ESET is compliant.

 

https://forum.eset.com/topic/14274-esets-response-to-meltdown-and-spectre-cpu-vulnerabilities/

 

Antivirus/antispyware module I have installed on my PC is the version listed in this post. My AV is compliant.

[jagdtigger]

27 minutes ago, leadeater said:

A lot of a security people that recommend it come from the perspective of who better to know how to properly protect the system than the people who created it in the first place. They will know the most efficient and least resource intensive way to do things and what is and isn't normal.

 

I find a lot of the AV test/rank stuff more designed to try and sell AV software than to actually test how good they are and if it would have protected a user in front of the machine using it at the time. Most things tend to be any AV would have caught it or none would have helped anyway.

Funny they say that... Given how MS was spouting blatant lies about many things, or intentionally didnt release info. By my standards(and im sure there others who feel the same way) their trustworthiness is down the toilet...

[leadeater]

Just now, jagdtigger said:

Funny they say that... Given how MS was spouting blatant lies about many things, or intentionally didnt release info. By my standards(and im sure there others who feel the same way) their trustworthiness is down the toilet...

Lies about what? You have to remember between the companies involved there were legal embargoes on information release so the ability to give out accurate and correct information about Meltdown and Spectre is limited by that. I'm not aware of Microsoft lying about anything in relation to this. Far as that type of stuff goes reporting on this has been a total shambles and that is completely at the hands of reporters and no one else, they did a terrible job.

 

As far as trusting them actually goes there is a separation of trust of the company itself and the product. I do actually trust Microsoft AV solutions, have used them for a while, back when it was under the name System Center Endpoint Protection, Forefront Protection and Security Essentials.

 

I trust the big AV companies less than I trust Microsoft both on their products and their company.

[jagdtigger]

Just now, leadeater said:

Lies about what? You have to remember between the companies involved there were legal embargoes on information release so the ability to give out accurate and correct information about Meltdown and Spectre is limited by that. I'm not aware of Microsoft lying about anything in relation to this. Far as that type of stuff goes reporting on this has been a total shambles and that is completely at the hands of reporters and no one else, they did a terrible job.

 

As far as trusting them actually goes there is a separation of trust of the company itself and the product. I do actually trust Microsoft AV solutions, have used them for a while, back when it was under the name System Center Endpoint Protection, Forefront Protection and Security Essentials.

 

I trust the big AV companies less than I trust Microsoft both on their products and their company.

I mean the spy10 fiasco, then they used the update system to spread their backported malware onto older systems, VS modifying your program without your knowledge, etc...

So yeah, 0 reason to trust in everything they make...

[captain_to_fire]

Good thing that Bitdefender 2018 on my PC and Kaspersky 2018 on my parents PC is compatible and the update process ran smoothly. 

[leadeater]

4 minutes ago, jagdtigger said:

I mean the spy10 fiasco, then they used the update system to spread their backported malware onto older systems, VS modifying your program without your knowledge, etc...

So yeah, 0 reason to trust in everything they make...

Right, I was thinking I don't think MS actually said much at all initially so couldn't think of anything they said that was wrong.

 

Anyway the inbuilt AV is actually very good, the amount of crap I've had to deal with for the other ones I'd never recommend any of them. All bloody awful and broken, Windows Defender just works and doesn't break stuff for illogical random reasons.

 

They did have that one big bug recently though, that was very amusing lol.

 

For a very long time, Windows 7 era, I didn't even bother with an AV and just used common sense which tends to be much more successful than any AV .