"Meltdown" and "Spectre": Antivirus Tools Caught with Their Hands in the Windows Cookie Jar

The Meltdown and Spectre vulnerabilities in Intel and other CPU’s are most disturbing because these exist beneath the reach of software-based cyber controls to explicitly intervene. To mitigate risks from the Meltdown and Spectre vulnerabilities in Intel and other CPU’s, AppGuard customers need not do anything other than implement operating system patches, as should be done regardless. No unusual actions are necessary to implement these patches with AppGuard. However, the presence of other security software may. While  exploits of these vulnerabilities by nation-state-like adversaries can theoretically bypass AppGuard, there is no tool better at blocking such attacks in the earliest stages before the actual Meltdown/Spectre exploit could be executed. More details of this paragraph are laid out in the remainder of this post.

About Meltdown and Spectre

For your convenience, we have provided links to 3rd party written information. In short, these vulnerabilities pertain to the data separation enforced within affected CPU’s. Software patches implement different mechanisms prescribed by the CPU vendor to eliminate or greatly hinder potential exploitation.

Endpoint Protection from Meltdown and Spectre

Theoretically, neither AppGuard nor any other software based cyber control can explicitly block exploits of these vulnerabilities once they reach the stage where they can execute the Meltdown/Spectre exploit. At that point, nothing can block it. However, these exploits require successfully completing one or more stages before they can be executed. AppGuard has always been effective at blocking malicious code attacks at their early stages. AppGuard significantly reduces one’s exposure to future Meltdown/Spectre attacks.

And, it does so without any dependence on ephemeral signatures or IoC’s of any kind, and it does not depend on piercing the veil of any obfuscation tactics. Other tools, act in a ‘detect and react’ posture, acting after malicious code detonation. This not only exposes endpoints to greater harm but severely drives up labor intensive IT/Sec-Ops requirements for the enterprise. AppGuard neither bears none of these weaknesses nor passes on any of these IT/Sec-Ops demands on its customers. In short, there is no better protection from exploits of these vulnerabilities or any others.

AppGuard is Compatible with Microsoft Operating System Patches

Microsoft published guidance regarding the implementation of their OS patches for Meltdown and Spectre based on earlier testing. They had found that many software based security products present severe compatibility problems. Consequently, Microsoft added logic to their software patches to look for such products, and when found, to look for a specific registry key with a particular value. This key represents a self-certification, asserting that the vendor has determined no conflict with the patch exists. Unfortunately, even when no compatibility does exist, some security product vendors require their customers to edit the prescribed registry key themselves. The patches will not install in the absence of such a key where the presence of a security product is found that Microsoft suspects may conflict. AppGuard has always avoided utilizing those non-standard mechanisms that Microsoft has discouraged to avoid these and other problems. The patches have been successfully implemented on numerous AppGuard protected endpoints without any problems.

The Vulnerability Patches will Slow Endpoints 5% to 30%, Non-AppGuard Action may be Necessary

Older CPU’s will suffer most. It may be necessary to ‘listen for what to leave out’ on older endpoints, uninstalling unnecessary applications, even one or more security products. AppGuard’s extremely lightweight footprint, seldom exceeding 0.1% of CPU or 10 MB of RAM, should not be one of them. Further, the nature of AppGuard’s computations will not exacerbate the sub-optimal CPU mechanisms that the patches have had to employ.

Conclusion

AppGuard customers are least affected, and are least vulnerable. Still, the Meltdown and Spectre vulnerabilities are very serious. OS patches are a must. However, we may all learn down the road that these software patches weren’t quite enough. You might randomly query your staff to ensure they are staying abreast of the latest bulletins. We will update this post if there is further news.