chip vulnerability MS patch

For the patch of the chip vulnerability, can I just download the patch from microsoft and install it on all servers and workstations rather than use windows update?  I have a couple servers and 20 workstations.  Also, I noticed that you have to be careful with antivirus because of a registry entry.  Can someone help me out with this issue, I use SOPHOS antivirus and the link below details what they are doing to work with the MS patch.  I think it says that SOPHOS works with the patch but I am not entirely sure.  Better safe than sorry.  Here is the link:    https://community.sophos.com/kb/en-us/128053
mkramer777Asked:
Who is Participating?
 
dbruntonConnect With a Mentor Commented:
This really depends on your workstations and servers.  It appears that there is a microcode patch and an Operating System patch and an anti-virus patch.  All depend on the manufacturers.  If you've got a recent Intel CPU then there will be a microcode patch.

See  https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/  and read the section on Intel.  Also read the section on Microsoft and what they are doing.  They have a Powershell script -- it is linked in the Arstechnical article -- which can tell you how well your system is protected.

You can set the registry key manually if you wish and then do the update.  That is at the Sophos link.  If you are really worried then do it that way.

But remember that there may be three updates to do.
0
 
Hello ThereSystem AdministratorCommented:
What I posted in my previous answer to this topic:

Read this article that gives you a few advices what to do. Maybe you will get some useful knowledge. HERE

   Q&A What can I do about the Meltdown and Spectre flaws?
    Users can do little to avoid the security flaws apart from update their computers with the latest security fixes as soon as possible. Fixes for Linux and Windows are already available. Chromebooks updated to Chrome OS 63, which started rolling out in mid-December, are already protected.
    Android devices running the latest security update, including Google’s Nexus and Pixel smartphones, are already protected. Updates are expected to be delivered soon. Users of other devices will have to wait for the updates to be pushed out by third-party manufacturers, including Samsung, Huawei and OnePlus.
    An update from Apple on what is needed for its Mac computers and iOS devices is expected.

Now it's impotrant to patch everything. Google Chrome, Firefox, Intel components, BIOS, Windows OS:

   Microsoft has issued an emergency security patch through Windows Update, but if you’re running third-party antivirus software then it’s possible you won’t see that patch yet.

   A firmware update from Intel is also required for additional hardware protection...

   
Ensure you have the latest Windows 10 updates and BIOS updates from Dell, HP, Lenovo, or one of the many other PC makers. We’re hoping Microsoft or Intel creates a simple tool (they have a PowerShell script right now) to check protection for both the firmware and Windows updates, but until such a tool is available you’ll need to manually check or get familiar with PowerShell. Here’s a quick step-by-step checklist to follow for now:
     - Update to the latest version of Chrome (on January 23rd) or Firefox 57 if you use either browser
     - Check Windows Update and ensure KB4056892 is installed for Windows 10
     - Check your PC OEM website for support information and firmware updates and apply any immediately

John's Hurst comment:
You need to run Windows (and MAC) updates for all current Workstation and Server operating systems. Windows X64 systems were largely patched by yesterday.
Dump any X86 / 32-bit Operating systems as quickly as you can (Workstations and Servers).

Meltdown vulnerability was found in Intel chips.
Spectre was found in both Intel and AMD + ARM as well.
There is a brilliant page that describes everything. Hope you will like it. HERE

Antiviruses might not help you. Patch, patch and patch!
1
 
mkramer777Author Commented:
I'm worried about adding the patch and it not working with Sophos.  Is there a way to auto add the registry entry so the patch will not affect Virus software that is not compatible with it?
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
mkramer777Author Commented:
should I update all my machines so they have the latest windows updates even if they will not show the windows update for meltdown because my antivirus is not compatible?
0
 
mkramer777Author Commented:
Sorry for another post but I thought of something.  This is for my servers.  Instead of waiting for Sophos antivirus to come out with a fix why can't I uninstall and install something like MS security essentials and then run the patch update just so I have it on at least the servers?
0
 
Hello ThereSystem AdministratorCommented:
I think this says everything (from your link):
Sophos has completed testing of installing the patch and setting the registry key and can confirm no compatibility issues were seen. We will begin to automatically add the registry key in updates to the following Sophos Endpoint/Server products starting 05 Jan 2018:

To be 100% sure you can contact Sophos support.
0
 
mkramer777Author Commented:
Why set the registry key manually if Sophos in the article says they have tested and all is well?  Can't I run the msu patch and I'm done?
0
 
Hello ThereSystem AdministratorCommented:
I'd do so. Test it on one machine, test it on more computers and then I'd deploy it.
0
 
mkramer777Author Commented:
How will I test it?  Wait for the computer to have issues?  Or are you saying it won't even load?
0
 
mkramer777Author Commented:
One more time with this question.  Can't I uninstall Sophos, install the patch and reinstall Sophos?
1
 
Hello ThereSystem AdministratorCommented:
Apply the patch and see any changes in behaviour.
0
 
mkramer777Author Commented:
Also, if I want to add the registry value, how exactly do I do that?  Do I copy and paste it where in the registry editor?
0
 
dbruntonCommented:
0
 
Jose Gabriel Ortega CCEO J0rt3g4 Consulting ServicesCommented:
I'm sorry to be here late,
I did yesterday night an article that can help you guys how to know if you have the vulnerability or not.

https://www.experts-exchange.com/articles/31438/Intel-Bug-Spectre-and-MeltDown.html

Thank you and let me know if you have any comments.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.