back to article CPU bug patch saga: Antivirus tools caught with their hands in the Windows cookie jar

Microsoft's workaround to protect Windows computers from the Intel processor security flaw dubbed Meltdown has revealed the rootkit-like nature of modern security tools. Some anti-malware packages are incompatible with Redmond's Meltdown patch, released last week, because the tools make, according to Microsoft, “unsupported …

LDS
Silver badge

Depends - if you just run the file/processes inspection part on demand it's OK. If you let them "infect" your system with all their drivers and services to hook whatever they like automatically, there's a good chance they start fighting against each other.

On a file server or a mail server, for example, you may want to inspect file/attachments using more than one AV engine, the way VirusTotal works. Relying on a single one may be dangerous.

2
2

@AC

the people who run multiple AV are likely the lot who installed AVG free and then someone sold them another AV / they got one from their bank / Which told them about some other recommended product / some random bloke down the pub who cleans at a tech company recommended 1 etc but have no clue how to install the old one. They are likely the same people who have malware.

it happens more often than you think on consumer and small business pc's.

2
1
Silver badge

Ummm... people who click "yes", I suppose? To something as innocuous as a Flash plugin update that used to be essentially forced upon them by browsers and such until not so long ago (assuming they already had a different AV installed)...?

0
0

For email (before the days of the cloud), you would get a email filtering product that could include multiple engines, BitDefender, Kaspersky, etc. however it's one main product installed to the system, utilising the multiple engines it has licensed from the vendors.

It's also possible... to deliver email/web through multiple servers. Each one with a different AV / Filtering product that checks/cleans before delivery to the final mailbox server.

File servers, you'd have AV on the server and on the client, you should be concerned about entry points, email, web, USB stick / CD ROM and ensure each has it's own protection, in combination should have as well protected a network as possible.

Running multiple products on a single server/PC, not a good idea, unless most are passive/manual and only one "active"/installed/running in the background otherwise it will slow down/crash the system running two or more full AV "installed/active" products.

1
0

And those making use of some "next gen" AV.

Cylance, Crowdstrike, etc. can often be used along with other AV, or even together.

Not uncommon, and can add complementing functionality.

0
0
Silver badge

The people who run multiple AV are likely the lot who have Google Chrome as their default browser.

1
1
Anonymous Coward

"are likely the lot who have Google Chrome as their default browser."

Yes, if they wanted fast they would be using Edge.

0
0

I've regularly seen computers running more than one instance of anti-virus software, the most I've come across running on a laptop, was four!!

0
0
Silver badge

part of the problem is that you must have AV on a Windows box if you want to use it anywhere near the internet, but because it is closed source the AV vendors have no choice than to try to fudge things to get them working.

0
4
Silver badge
Pint

"...QA testing...", Symantec...

No such thing.

2
1

A reg key question.

Is the detection built into the patch executable (KBxxxx.exe) so does it fail to run, or is it just WIndows Update that detects it?

So if you approved the patch in WSUS or roll it out via SCCM do the clients install it anyway even if the reg flag isn't set?

0
0
Silver badge

The clients don't install unless the reg key is set, regardless of whether it's coming from WSUS, SCCM or Windows Update.

1
0

You can safely approve it in WSUS and it just won't be made available to the machines until they have the correct registry entry. As soon as it sees that (we just pushed the reg change via group policy as we know our AV is fine), the update will be available to install as per normal. Its the same for Windows Update - it just won't appear until the reg change. You can however download the patch manually and install it but at the risk of it causing a BSOD if your AV isn't compatible.

1
0

Anyone Else Surprised...

Symantec wasn't ready from the Get-Go?

Anyone?

1
0

What the AV tools have been doing

An AV tool that can't accept the Meltdown patch is an AV tool which has been silently exploiting the Meltdown vulnerability for as long as it's been "drill[ing] deep into the kernel's internals in order to keep tabs on the system."

In other words, the AV software have been the exploiting malware we've all been worrying about, and have been for years.

2
3
Silver badge

Re: What the AV tools have been doing

Not really, no.

Meltdown and Spectre are bugs which use out-of-order execution to gain unauthorized access to kernel data in userland. AVs do not do that. AVs do rely on being authorized to read elements of the kernel in userland, but having elements of the kernel in userland is not actually a problem - in fact, it's highly desireable, as you get speed increases of up to 4000%. Unless you can use out of order execution to read code without authorization, of course.

Basically, because Meltdown allows unauthorized access to the kernel in user space, and the problem is fundamental to processor design, the solution has been to remove kernel data from user space altogether. This means that programs which rely on AUTHORIZED access to kernel data in userland now do not work. The 'fix' for Meltdown is not actually a fix - it's a kludgy workaround to try and remove the circumstances that allow the bug to happen, rather than actually resolving the bug itself. Its also why we're getting massive performance reductions - not because every program ever has been exploiting the bug, but because most of them used user-side kernel data to speed them up.

7
1

ooo Pretty big job, gonna cost ya.

Two thoughts, sorry if I'm repeating someone....

1. Re one of the paragraphs, writing a registry key is going to require significant code work - yes that is what the text suggested, give me a break, a lot of software that is written by what I consider poor practise writes hundreds if not thousands of registry entries apparently for random fun and leave it behind when it is removed. Writing a single key is a very basic call. (I do realise re-writing your AV kernel driver thingie - now that might be hard).

2. The alternative to a single key is a folder where each vendor software has to put in a "i'm good" notification and if everyone is good, updates continue.

Having said that, with this registry thing, malware has a very simple way to switch off updates at will, simpler than borking windows updates - which lets face it Microsoft bork their own update engine regularly enough.

So perhaps what we should have is a better way to register applications existence on the machine in a protected place such that they can be checked against an online 'master' record of goodness maintained by vendors / Microsoft. Heap of missed opportunities there with the whole 'certified' application certificates etc.

This is turning into a bigger poo pile every day as we better understand the consequences!

2
0

Why can't...

Clearly my basic reading of the issue needs some assistance;

What I understood is that due to processor running future commands making the assumption that they will run before they are officially called, and the fact that the results of those commands can be read, we have the meltdown issue.

Why isn't the answer to clear that pipeline and results whenever there is a kernel exception of the type that asks for privileged access? Or do kernel programmers use exceptions as their normal execution logic?

I expect I'm being too simplistic and it will need a pipeline to track the pipeline...

0
0
Anonymous Coward

Re: Why can't...

My understanding is that the problem has two parts. It's started by exploiting the speculative execution, true. But the processor does flush the invalid CPU instructions after it notices the exception. However, the processor doesn't revert any changes made to the caches, and for some reason the userland code is able to access the data in the cache directly.

0
0
Silver badge

Re: Why can't...

Eben Upton posted a good explanation of how it all works on his blog while explaining that the RPi is not vulnerable:

https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

0
0

On this issue, I'm with Microsoft: it isn't Microsoft's responsibility to check if every third party AV product has not done silly things to the OS that would make systems fail when the Meltdown patch is applied. MS have simply said to the AV companies "This is what the Meltdown patch does. You know what you products do, so you are the ones to decide whether your products are compatible with the Meltdown patch". Short of not issuing any patch, I don't see what other choice MS have.

1
0

Us without AV

They could have at least given the end user information about this through windows update. I was wondering why there wasn't any update yesterday and whether I happen to read an article in The Register or not isn't something I should have to rely on to keep my system updated.

0
0
Silver badge

Re: Us without AV

You're assuming the Stupid User is in a position to understand this stuff.

0
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018