chip vulnerability MS patch

For the patch of the chip vulnerability, can I just download the patch from microsoft and install it on all servers and workstations rather than use windows update?  I have a couple servers and 20 workstations.  Also, I noticed that you have to be careful with antivirus because of a registry entry.  Can someone help me out with this issue, I use SOPHOS antivirus and the link below details what they are doing to work with the MS patch.  I think it says that SOPHOS works with the patch but I am not entirely sure.  Better safe than sorry.  Here is the link:    https://community.sophos.com/kb/en-us/128053
mkramer777Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
What I posted in my previous answer to this topic:

Read this article that gives you a few advices what to do. Maybe you will get some useful knowledge. HERE

   Q&A What can I do about the Meltdown and Spectre flaws?
    Users can do little to avoid the security flaws apart from update their computers with the latest security fixes as soon as possible. Fixes for Linux and Windows are already available. Chromebooks updated to Chrome OS 63, which started rolling out in mid-December, are already protected.
    Android devices running the latest security update, including Google’s Nexus and Pixel smartphones, are already protected. Updates are expected to be delivered soon. Users of other devices will have to wait for the updates to be pushed out by third-party manufacturers, including Samsung, Huawei and OnePlus.
    An update from Apple on what is needed for its Mac computers and iOS devices is expected.

Now it's impotrant to patch everything. Google Chrome, Firefox, Intel components, BIOS, Windows OS:

   Microsoft has issued an emergency security patch through Windows Update, but if you’re running third-party antivirus software then it’s possible you won’t see that patch yet.

   A firmware update from Intel is also required for additional hardware protection...

   
Ensure you have the latest Windows 10 updates and BIOS updates from Dell, HP, Lenovo, or one of the many other PC makers. We’re hoping Microsoft or Intel creates a simple tool (they have a PowerShell script right now) to check protection for both the firmware and Windows updates, but until such a tool is available you’ll need to manually check or get familiar with PowerShell. Here’s a quick step-by-step checklist to follow for now:
     - Update to the latest version of Chrome (on January 23rd) or Firefox 57 if you use either browser
     - Check Windows Update and ensure KB4056892 is installed for Windows 10
     - Check your PC OEM website for support information and firmware updates and apply any immediately

John's Hurst comment:
You need to run Windows (and MAC) updates for all current Workstation and Server operating systems. Windows X64 systems were largely patched by yesterday.
Dump any X86 / 32-bit Operating systems as quickly as you can (Workstations and Servers).

Meltdown vulnerability was found in Intel chips.
Spectre was found in both Intel and AMD + ARM as well.
There is a brilliant page that describes everything. Hope you will like it. HERE

Antiviruses might not help you. Patch, patch and patch!
1
mkramer777Author Commented:
I'm worried about adding the patch and it not working with Sophos.  Is there a way to auto add the registry entry so the patch will not affect Virus software that is not compatible with it?
0
mkramer777Author Commented:
should I update all my machines so they have the latest windows updates even if they will not show the windows update for meltdown because my antivirus is not compatible?
0
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

mkramer777Author Commented:
Sorry for another post but I thought of something.  This is for my servers.  Instead of waiting for Sophos antivirus to come out with a fix why can't I uninstall and install something like MS security essentials and then run the patch update just so I have it on at least the servers?
0
Hello ThereSystem AdministratorCommented:
I think this says everything (from your link):
Sophos has completed testing of installing the patch and setting the registry key and can confirm no compatibility issues were seen. We will begin to automatically add the registry key in updates to the following Sophos Endpoint/Server products starting 05 Jan 2018:

To be 100% sure you can contact Sophos support.
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
This really depends on your workstations and servers.  It appears that there is a microcode patch and an Operating System patch and an anti-virus patch.  All depend on the manufacturers.  If you've got a recent Intel CPU then there will be a microcode patch.

See  https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/  and read the section on Intel.  Also read the section on Microsoft and what they are doing.  They have a Powershell script -- it is linked in the Arstechnical article -- which can tell you how well your system is protected.

You can set the registry key manually if you wish and then do the update.  That is at the Sophos link.  If you are really worried then do it that way.

But remember that there may be three updates to do.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mkramer777Author Commented:
Why set the registry key manually if Sophos in the article says they have tested and all is well?  Can't I run the msu patch and I'm done?
0
Hello ThereSystem AdministratorCommented:
I'd do so. Test it on one machine, test it on more computers and then I'd deploy it.
0
mkramer777Author Commented:
How will I test it?  Wait for the computer to have issues?  Or are you saying it won't even load?
0
mkramer777Author Commented:
One more time with this question.  Can't I uninstall Sophos, install the patch and reinstall Sophos?
1
Hello ThereSystem AdministratorCommented:
Apply the patch and see any changes in behaviour.
0
mkramer777Author Commented:
Also, if I want to add the registry value, how exactly do I do that?  Do I copy and paste it where in the registry editor?
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
0
Jose Gabriel Ortega CastroCEOCommented:
I'm sorry to be here late,
I did yesterday night an article that can help you guys how to know if you have the vulnerability or not.

https://www.experts-exchange.com/articles/31438/Intel-Bug-Spectre-and-MeltDown.html

Thank you and let me know if you have any comments.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Sophos

From novice to tech pro — start learning today.