ANALYSIS: Microsoft is halting all security updates on Windows systems with badly-behaved antivirus products. But you can fix this problem
When I wrote on Jan. 5 about ways to protect your computers from exploits related to two processor issues called Spectre and Meltdown, I mentioned that Microsoft had released Windows Update patches that would be applied either immediately or on the normal Patch Tuesday, Jan. 9.
As it turns out, not every Windows user received the updates because the antivirus software they’re using was incompatible with the update.
What most people didn’t know is that the incompatibility would ensure that they never received an update, ever. The problem is rooted in the behavior of a few AV products that make unsupported calls to the Windows kernel memory.
Windows security updates
These calls closely resemble actions that are performed by some types of malware and in any case they can change when Microsoft updates Windows. The result of this behavior is lovingly known as the BSOD (blue screen of death) and it happens when Windows crashes.
To get around the BSOD problem, Microsoft is requiring vendors of AV and anti-malware products to certify that their products are compatible with Windows Update, and if they are, to change a setting in the Windows registry. While most of the mainstream AV vendors have taken the necessary steps of confirming compatibility and of setting the registry key, some haven’t.
The reasons for not setting the key vary, but it’s mostly a matter of the time required for developers to make and test the changes. But there are a few new anti-malware vendors that are compatible with the new updates, but haven’t changed the registry key for reasons that are unclear.
Complicating the issue are computers that for whatever reason can’t run AV software. They’re fully compatible with the update required for the processor fix, but because there’s no AV running, there’s nothing to make the change. For this reason, Microsoft has published instructions for changing the registry key manually.
The best way to see if you received the update is to check Windows Update and see when the last update you received actually took place. If you’re running Windows 10, you should have received the update on or around Jan. 3, 2018. If you’re running anything besides Windows 10, the update should take place on or around Jan. 9, which is the normal Patch Tuesday.
For Windows Server, the situation is somewhat more complex. You will need to make changes to the Registry, but you will also need to taka a number of additional steps, including a series of verification steps. Microsoft explains this in a security update article.
It’s also worth noting that computers with some AMD processors are also incompatible with the update that’s designed to protect against the Spectre problem (they’re not subject to the Meltdown issue). When Windows Update finds those machines, it stops the update process. According to the relevant Microsoft Knowledge Base entry, those updates have been paused until the issue is resolved. In that case there’s nothing you can do until Microsoft and AMD work out a solution and publish it.
Once you’ve determined whether your lack of updates is related to your AV software, the next step is to find out whether the software vendor has plans to fix the registry setting problem and plans to make the software compatible with Windows Update, if that’s the issue.
Assuming that you find out your AV vendor’s software is compatible, then you can set the registry key yourself, or you can wait for the vendor to fix that problem. However, not all AV vendors plan to make that fix. So doing it yourself may be your only option. But be careful because making registry edits requires some knowledge of what you’re doing.
However, if you find out that the problem is your AV software and that the vendor isn’t planning to make it compatible with Windows Update, you have little choice but to change AV vendors. Despite what your AV vendor may say, no single company has a monopoly on all essential security technology. If your AV vendor doesn’t plan to fix this issue on a timely basis, retaining that vendor isn’t worth the risk.
This whole issue of incompatible AV came up when Microsoft released updates that would help defend against an exploit of the Meltdown vulnerabilities in Intel processors, or the Spectre problem that exists in virtually all processors. When preparing the updates, Microsoft found that a few AV packages ignored the rules for application behavior and instead acted like the malware they were trying to defeat.
What’s most surprising about this is that the other anti-malware packages didn’t observe this behavior and treat themselves like malware. Or perhaps they did and the IT administrators were told to turn off their AV software. I’ll bet you’ve heard that before.
But whatever the reason, defense in depth is critical for a successful cyber-security protection plan and that has to include allowing Windows to perform updates. Anything that delays updates is asking for trouble. The last thing you want is to explain why you allowed a vulnerability to exist in your enterprise when you knew it existed.
Originally published on eWeek