So by now you have patched everything you own because you read about meltdown and spectre. You are exhausted, but feel pretty good about yourself. After all, some of those beasties had a lot of uptime and other stuff happened when you rebooted them.
But is it really working? Well, it turns out, your Anti-Virus might be disabling the fix.
First an op-ed note. We are past Anti-Virus. If you think that is doing you any good, well, its not. Don’t believe me? Next time you get some spammy email with an attachment (word/zip/pdf, whatever), submit it to https://www.virustotal.com/. I guarantee that attachment is a virus. I guarantee that few of the Anti-Virus tools will catch it. So don’t feel more secure because you paid $19.99 @ BestBuy 4 years ago for something with a Norton sticker on the front.
OK, rant-off. It turns out that on Windows, many Anti-Virus products essentially act as a rootkit, injecting a hypervisor of sorts to intercept system calls. And, it turns out, these break Microsoft’s fix for meltdown. And to avoid a customer support nightmare, Microsoft’s fix will disable itself until the Anti-Virus is updated (and other Windows updates won’t occur either!). We’ve got folks like Symantec recommending to *not* patch for meltdown as a consequence.
There’s a set of registry keys (naturally) to:
- indicate if your Anti-Virus is up-to-date
- enable the fix
- disable the fix
You can see the details here. But, IMHO, the thing this creates, is a way for malware vendors to *disable* not only this fix, but future ones. Eg can you not see malware doing:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Seems obvious now.
So, ask yourself, now that i’ve finished all the patching, do I (still) feel lucky?