Status Meltdown and Spectre
2018 has just started and did already introduced us to some powerful new exploits: Meltdown and Spectre. Meltdown and Spectre are cyber-attack techniques that seek to exploit operating system technologies that normally function safely, as designed, but researchers have cleverly identified a way to use these benign technologies for malicious purposes. They basically manipulate the protections that separate applications from operating systems, as well as applications from other applications running on the same computer. They also affect a wide range of devices that we use in our daily lives, including both PCs and phones.
So, how exactly could Meltdown and Spectre have such an impact? First, let’s back up and explore the role they play in operating systems. Most modern operating systems perform speculative execution, and even execute instructions before it is certain that those instructions need to be executed. This makes it possible for one process to infer that some data belongs to another process.
KB90167 : https://kc.mcafee.com/corporate/index?page=content&id=KB90167
KB90180 : https://kc.mcafee.com/corporate/index?page=content&id=KB90180
Automated Mechanism to Deploy the Registry Key Update
Starting with the January 10th DAT (3221.0) updates for ENS 10.0.2 and later, the registry key will be automatically updated for customers who receive their DAT updates through ePO.
Automated Mechanism to Deploy the Registry Key Update
Starting with the January 10th DAT (3221.0) updates for Endpoint Security (ENS) 10.0.2 and later, the registry key will be automatically updated for customers who receive their DAT updates through ePolicy Orchestrator (ePO).
NOTE: Safety Pulse (enabled by default) must be enabled to download ENS DAT 3221.0.
Starting with the January 12th DAT (8772), customers who use VirusScan Enterprise (VSE) 8.8 and receive their DAT updates through ePolicy Orchestrator (ePO) will have the registry key automatically updated.
The DAT adds the check for the registry key, and sets it if it is not present. Customers who have already set a registry key should not have any issues.
For customers using ENS 10.0.1 or earlier, or not using ePO for their DAT delivery, see KB90180 – How to deploy the required registry key via automated executable.
The following products have been tested and are confirmed as compatible:
Testing is ongoing for all McAfee products and no compatibility issues with the Microsoft update have been found so far. We expect all of our testing to be complete on our endpoint products soon, and will update this article when we have a new estimated completion date.
- Application Control 6.2.0 and later
- Data Exchange Layer 3.0.0 and later
- Data Loss Prevention 9.3 and later*
- Database Activity Monitor/Sensor 4.6
- Drive Encryption 7.1 and later
- ePO 5.1 and later
- ePO MER 3.1 and later
- ePO MVT 8.2 and later
- Endpoint Intelligence Agent 2.6.2 and later
- Endpoint Security 10.2 and later
- File and Removable Media Protection 4.3.1 and later
- Host IPS 8.0 Patch 4 and later
- McAfee Active Response 1.1 and later
- McAfee Agent 4.8 Patch 3 and later
- McAfee Client Proxy 1.2 and later
- MOVE Antivirus Multi-Platform 4.5 and later
- Management of Native Encryption 4.0 and later
- Network Security Manager 9.1 and later
- Policy Auditor for Windows 6.2.0 and later
- Security for Domino Windows 7.5.3 and later
- Security for Microsoft Exchange 8.5 and later
- Security for Microsoft Sharepoint 3.0 and later
- SiteAdvisor Enterprise 3.5 Patch 3 and later
- System Information Reporter 1.0.1 and later
- Threat Intelligence Exchange Client for VSE 1.0.2 and later
- VirusScan Enterprise 8.8 RTW and later
- VirusScan Enterprise for Storage 1.2 and later
Linux and MacOS Compatibility for McAfee Products:
Because the underlying issue impacts multiple operating systems, testing is also underway on Linux and MacOS-based products. No issues have been found so far.
- Data Loss Prevention for Mac 220.127.116.11, 18.104.22.168, 10.0.0.123
- Endpoint Security for Linux 10.2.2
- Endpoint Security for Mac 10.2.3
- Endpoint Protection for Mac 2.3
- File and Removable Media Protection for Mac 5.0.5
- Host Intrusion Prevention for Linux 8.0 Patch 11 and later
- Management of Native Encryption for Mac 4.1.3
- McAfee Active Response for Linux 22.214.171.124, 126.96.36.1992
- McAfee Active Response for Mac 188.8.131.52
- McAfee Linux Firewall 8.0.3
- Policy Auditor for Linux 184.108.40.206, 220.127.116.11, 18.104.22.1682
- VirusScan Enterprise for Linux 2.0.3, 1.9.2
On December 28, 2017, Kaspersky Lab released a database update that will enable the readiness flag. Solutions with this database update or later will allow the Microsoft update to install.
Customer Support Bulletin CSB-180105-1
Subject: FortiClient 5.4 and 5.6 for Windows Meltdown Security Patch
Product: FortiClient for Windows
Microsoft released a security update on January 3, 2018 to insure compatibility of a Windows updates
related to CPU security flaw (Meltdown) with anti-virus software products (see Microsoft Security Bulletin
Fortinet tested the latest active FortiClient software versions 5.4.4 and 5.6.3 and found them fully
compatible with Microsoft’s January 2018 Security Update.
It safe to use these versions with the security update.
FortiClient 5.4 and 5.6 for Windows
Microsoft requires that the following registry key exist on all compatible systems, even if there is no AV
With the latest active FortiClient versions 5.4.4 and 5.6.3, it will be required to add this key manually, or use
Group Policy, in order to receive the January 3, 2018 security update.
Fortinet will release new versions of FortiClient prior to January 9, which will add the required registry key
The Endpoint Privilege Manager agent doesn’t appear to have an inoperative issue with the MS patch. We do, however, recommend customers deploy it onto a few test machines before rolling it out to the entire organization’s endpoints
CPU performance review : https://www.bleepingcomputer.com/news/microsoft/microsoft-performance-dip-on-old-windows-versions-due-meltdown-and-spectre-fixes/
- With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
- With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
- With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
- Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.