Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

Can F-Secure Client Security Premium detect and block attacks via Meltdown and Spectre?

According to one of the comments to this article it can, but can I get that confirmed? When testing to read memmory with a "Spectre-attack" F-Secure Client Security Premium version 13.10 did NOT react at all. 

 

https://safeandsavvy.f-secure.com/2018/01/04/meltdown-and-spectre-two-things-you-need-to-know/

 

Thanks,

JW

 

Best Answer

  • etomcatetomcat Posts: 1,312
    Accepted Answer

    Hello,

     

    I think we need to think logically about the whole flow-chart of events, instead of asking in sensational news headline style. So let me write what I think:

     

    - If the OS is unpatched then security applications like anti-virus (AV) products are heroes caught with their pants down...If the OS has holes like swiss cheese than no application level security can save you. It is necessary to install the OS patches, even if it means a lot of testing for compatibility with in-house built applications, etc.

     

    (That's why F-Secure products include the "Software Updater" module, which is meant to search for and apply hotfixes to all 3rd party applications found on the computer, including but not limited to Microsoft items.)

     

    - If you have the Microsoft hotfixes applied to Windows, then you are protected against the new threat known as Fsckwit/KAISER/KPT/Meltdown/Spectre, etc..

     

    - In order to be offered and receive the Microsoft-supplied OS hotfixes, a special registry value is a pre-requirement and it must be correctly set within Windows. It is the job of anti-virus vendors to supply patches for their OWN products, which gives them continuing compatibility with the post-Spectre-hotfix Windows. (That's because the OS kernel needs significant changes for protection and AV products need to adapt their working). As soon as the AV vendor-supplied patch is applied, the special registry value is adjusted accordingly.

     

    Some AV vendors, like F-Secure have automated that process entirely or to a large degree. Some other AV vendors require an amount of manual work from the end user customer, e.g. changing the registry value by hand or by script.

     

    - When you already have the AV-supplied product patch in place and the registry value has been set, you can move on to patch the Windows OS against Spectre.

     

    (The AV vendor supplied patch doesn't mean however, that the AV product will recognize a Spectre attack. It is theoretically impossible for an application-level software to stop a threat that hit at the deepest OS-level or even lower, like the incorrect layout of transistors in the circuits of an Intel CPU.)

     

    - The whole situation became a mess due to leaks in the world media, which necessitated the expediting of patch release from the planned 9 January date to 3 Jan 2018. The resulting hurry confused a lot of users. (Originally there was an agreed embargo concerning the vulnerability, to prevent premature leaks of details.)

     

    Best Regards: Tamas Feher, Hungary.

Comments

  • And that is what I call a good answer. A big thank you Mr Feher!

     

  • etomcatetomcat Posts: 1,312

    Hello,

     

    I wish to ask if the new release "F-Secure Appliance for Virtualization 12.20 build 5" is related to fixes for the "Meltdown / Spectre" CPU bugs, found in the embedded CentOS Linux 6.8 system platform?

    (The release notes document doesn't mention any rationale for the unexpected publication of these new install packages.)

     

    Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

  • MJ-perCompMJ-perComp Posts: 1,098

    IMHO "Loss of IP-address" is reason enough to publish a new version.

  • etomcatetomcat Posts: 1,312
    Hello,

    > "Loss of IP-address" is reason enough to publish a new version.

    That line is already present in version 12.20 build 3 publication, that's why I think build 5 may address something more recent, like the CPU vuln hysteria.

    BR: Tamas Feher, Hungary.
This discussion has been closed.