Here’s some bad news for Windows users. Microsoft’s latest patch to protect Windows users from the Meltdown and Spectre chip vulnerabilities was found to be incompatible with various types of anti-virus software.
The worst part is this, users with non-compliant antivirus software will not be able to install any Windows security updates at all unless the software makers tweak their software or the user uninstalls the software completely.
It’s a double whammy of sorts, leaving Windows users with either crippled security software or no protection against Meltdown. Yikes.
Microsoft’s Meltdown patch
During Microsoft’s testing of its latest January Windows patch, the company found that some antivirus programs are making “unsupported calls into Windows kernel memory,” which can cause dreaded Blue Screen of Death (BSOD) errors when the patch is applied.
Even worse, some Windows machines are even rendered unbootable when the patch conflicts with affected antivirus programs that integrate deeper into a Windows machine’s kernel.
Here’s what’s causing this issue. Since the Meltdown patch separates the kernel’s memory from user processes completely, antivirus programs that violate Windows’ built-in rootkit protection aka Kernel Patch Protection are causing Blue Screen of Death errors and endless reboot loops.
This means some Windows antivirus programs are going beyond what they’re supposed to access (i.e, protected areas of the kernel). Since the patch stops this access, the affected antivirus programs themselves are now causing errors in Windows.
Note: A kernel is a very integral part of an operating system considering it has complete control over it, connecting software to various parts of a computer.
To prevent these errors, which can render certain Windows machines unbootable, Microsoft will not push nor install security updates to computers that have the affected antivirus software installed.
Antivirus makers will have to test their software to make sure that it’s compatible with the Meltdown patch then update it with a specific Windows registry key. Once these steps are done, the Meltdown security updates can then be installed.
The company also said that this will be the new rule moving forward. Computers with antivirus software that do not have this registry key set won’t be able to get security updates at all…ever.
This leaves users with these options. Either uninstall non-complying antivirus software completely or your machine will not be able to install security updates. Well, for most users, the choice is pretty clear-cut. You don’t really want your machine to NOT have the latest patches.
Antivirus makers are left with no choice
Microsoft said that it is working with antivirus makers to resolve this issue but there’s a problem. While some developers are complying, other antivirus programs will completely break since they rely on kernel access to even function. Denying them this access will require a complete rewriting of the software.
Antivirus software companies who have complied with Microsoft’s requirements include AVG, Avast, Avira, Bitdefender, ESET, F-Secure, Kaspersky, Malwarebytes, Sophos, and Symantec.
McAfee, Trend Micro and Webroot are also working to tweak their software for compatibility soon.
Next-generation security providers like Palo Alto Networks, FireEye, Cylance, and CrowdStrike claim that their software has been tested to be compatible but they are not willing to set the registry key required.
Companies that have yet to confirm compatibility nor set the registry key include 360, VIPRE, and Countertack.