UPDATE 1-12-2018
Two scripts were updated to new versions. They are linked in the original article below. Update to add link to this week’s patch blog.
~~~~
If you aren’t living under a rock I’m sure you have seen the recent news surrounding Intel and virtually every other CPU manufacturer in existence. The two security flaws of Meltdown and Spectre have been making waves across the industry.
While you probably have seen a lot on this already there are two important things to note when it comes to running your MSP that we felt it worth to communicate.
First: Microsoft released a same-day fix for Meltdown. This patch is part of what has been causing problems because there is a reported performance hit to the tune of 30-40%. In reality it seems to be less than that in all scenarios other than servers.
Here is an article where they did some testing on the new patch from Microsoft on an i7-8700K processor. In workstation setups there was virtually no change in performance.
Servers is where the new patch is an issue and we will hopefully be able to provide more details on that in the next week.
But wait, don’t install the patch on all your workstations just yet!
The most important thing to know about Meltdown is that Microsoft’s patch is messing with Anti-Virus software. Microsoft has acknowledged that the patch to fix Meltdown is changing some pretty low level kernel operations in the operating system and so they will NOT release the patch (or even show it as available) if your Anti-Virus hasn’t set a very specific registry key.
If you want to get technical, this article has a lot of good information on the subject: https://www.bleepingcomputer.com/news/microsoft/how-to-check-and-update-windows-systems-for-the-meltdown-and-spectre-cpu-flaws/
You can find a crowd-sourced Google Doc that shows what AV vendors are updated here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0
Using Kaseya to Mitigate Meltdown
Kaseya released two new scripts to audit for the registry key and also to manually add the key if the Anti-Virus software didn’t update the key. Be very careful manually adding the key. Be absolutely certain that your AV is compatible before adding the registry key manually.
You can find them free to download here:
- UPDATED: Meltdown Vulnerability Check: https://clubmsp.com/msp/script/meltdown-spectre-vulnerability-check/
- Meltdown Registry Key Force Add: https://clubmsp.com/msp/script/meltdown-reg-key-force-add/
Kyle made some modifications to the Vulnerability Check script to utilize our tags setup for creating audits. He also created one additional script for you as well:
- UPDATED: Meltdown Vulnerability Check (W/Tags): https://clubmsp.com/msp/script/meltdown-spectre-vulnerability-check-w-tags/
- Meltdown Registry Key Audit Script (W/Tags): https://clubmsp.com/msp/script/meltdown-reg-key-audit/
Want to know how to setup a report based on tags? View the following video on how to create a report using the two scripts above.
Am I Good To Go If I’m Using Virtual Administrator’s Anti-Virus Solutions?
Short and sweet:
- If you are using Kaspersky. Then you should be good to go. Kaspersky should have added a registry key sometime today.
- Malware Bytes is reporting that they are safe to use with the patch from Microsoft. We have not tested this.
- AVG is not currently safe as far as we can tell. We will update this as soon as we hear something different.
- Webroot (not yet available on our servers but may be soon) is supposedly compatible with the patch but they are not setting the registry key at this time.
Last Question: Do I Need To Patch Meltdown?
Before I say anything else, just know that a security flaw is a security flaw so take what I’m about to write with a grain of salt.
Meltdown requires code to be actively run in a web browser in order to be exploited. As far as we know, there aren’t any official exploits in the wild using this flaw just yet. Servers are likely less susceptible than Workstations since they aren’t usually actively surfing the net. The bottom line is that if your clients are asking you what your plans are to tackle this bug, telling them you’re waiting for the dust to settle is a perfectly reasonable response.
Everyone is currently scrambling to figure all of this out so to wait for Patch Tuesday and our monthly blog next week is fine. But if you want to use the resources above to get rolling sooner then by all means go for it! That’s why they are there!
Have a great weekend and stay warm!