This document outlines compatibility details and product update information of Immunet regarding the Microsoft Security Update (KB4072699
) released on January 3, 2018 to address the Meltdown and Spectre vulnerabilities (CVE-2017-5753
, and CVE-2017-5754
This Microsoft Security Update comes with changes that may break compatibility with antivirus software. Microsoft has instituted a new requirement that security vendors validate compatibility with the security update before accepting the security update for installation.
With the complexity of the issue and number of vendors involved in the response, Immunet is providing the following guidance for users to decide how to apply and upgrade their Immunet software and underlying operating system. Users must also review the applicability of any required hardware patches, which is not covered by this document.
The Immunet engineering team has tested and verified compatibility with the following versions of the Immunet software on the supported Microsoft operating systems:
Table 1 – Verified Immunet Versions
Table 2 – Verified Operating Systems
Microsoft Windows 7 SP1
Microsoft Windows 8.1
Microsoft Windows 10
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Note: Versions not listed are either no longer supported by Immunet and/or not supported by Microsoft and the released Security Updates.
Complete resolution of the vulnerabilities may require hardware patches provided by each vendor. Immunet engineering has validated on hardware from multiple hardware vendors, but you must validate for the specific hardware deployed within your environment.
Users are required to upgrade to a version of Immunet that has been tested and verified to be compatible with the Microsoft Security Update (see Table 1, Table 2). In addition, users will need to manually set the required compatibility registry key detailed in Microsoft KB4072699
after verifying all third-party endpoint security software installed on the endpoint is compatible.
Once the compatibility registry key is set, the underlying operating system will allow the installation of the released Microsoft Security Updates.
Immunet recommends the following:
- Ensure the version of Immunet that is installed is a compatible and verified version (see Table 1, Table 2)
- Validate compatibility of all third-party endpoint security software installed on the endpoint
- Set the required compatibility registry key to allow the Microsoft Security Update to be applied (KB4072699). For assistance in setting the registry key mentioned in the above link, please see the last section of this post.
- Research and apply any patches required by your hardware vendor.
NOTE: Inadvertently setting the compatibility registry key on devices with third-party endpoint security software incompatible with the Microsoft Security Update may result in a Blue Screen of Death (BSOD).
Caveats and Considerations
Users should be aware of the following:
- Users must validate compatibility of all endpoint security software installed in your environment prior to setting the compatibility registry key.
- The registry key is not specific to Immunet. Setting the compatibility registry key will allow the Microsoft Security Update to be applied without validation of additional third-party endpoint security software running on the device.
- Devices may experience a BSOD if the registry key is set when incompatible third-party endpoint security software is deployed.
- Full resolution of the vulnerabilities may require hardware patches released by each vendor. This will vary from machine to machine
- This has been verified on a limited basis on systems with branch target injection (BTI).
Manually Adding the Registry Key
NOTE: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
- Start a Command Prompt running with Administrator Privileges
- Verify that the registry key is not present by running the following command:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /v cadca5fe-87d3-4b96-b7fb-a231484277cc
If the registry key is not present, the above command should return:
ERROR: The system was unable to find the specified registry key or value.
If you do not get the error in step 4, the key is already present on your system and you do not need to take further action.
- Add the registry key by running the following command:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0x00000000
Verify that the registry key was added successfully by the command from step 2 again.
- It should return:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat cadca5fe-87d3-4b96-b7fb-a231484277cc REG_DWORD 0x0
The registry key is set you should now be able to download the Microsoft Security Patches.