ESET and KB4056892

[howardagoldberg 14]

Is ESET ver 11.0.159 compatible?

https://support.microsoft.com/en-us/help/4056892 ...

Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY.

Contact your Anti-Virus AV to confirm that their software is compatible and have set the following  REGKEY on the machine Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000”

[cybot 1]

Product used: EIS 11.0.159.0

was just about to post on this when i spotted this thread. I checked my system, and I don't even have a subkey called 'QualityCompat'. So my guess would be that EIS and NOD32 ARE NOT compatible. whether this changes is most likely up to Eset.

Edited January 4, 2018 by cybot

[Super_Spartan 56]

I just installed it manually and everything looks fine:

 

Windows 10 Cumulative Update to Build 16299.192

 

First download the Cumulative update then install it:

 

http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/01/windows10.0-kb4056892-x64_a41a378cf9ae609152b505c40e691ca1228e28ea.msu

 

 

After the reboot, download and instal the Servicing Stack and install it:

 

http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/01/windows10.0-kb4058702-x64_4ed8d0df4f3c190d3e423bf287d7e95a21a9124a.msu

[cyberhash 194]

28 minutes ago, Phoenix said:

I just installed it manually and everything looks fine:

 

Does it show ESET is handling AV & Firewall in windows defender security centre by installing manually and bypassing the checks in place by windows update to make sure the reg key is present ?

It's a substantial update security wise (kernel) and surely there must be some reasoning behind Microsoft hiding the update unless the key is present without any user intervention or manual bypassing of the check. The use of "quality and compatibility" in the same sentence would put me off going down this route myself.

Since this was an early rushed/update to windows it will have caught lot's of vendors off guard with the timing and not only ESET.

Your method might be fine @Phoenix , but i will hold off until the update can be delivered normally via windows update which i would expect to be not very long


 

[Marcos 5,259]

After updating the modules, you should receive Antivirus and antispyware module 1533.3 which adds the above mentioned registry value. The module will be updated automatically typically within one hour so no action is required from users.

[howardagoldberg 14]

Marcos ... I have ESET AV x64 installed on a Win10 1709 system and a Win7 SP1 system. Both systems successfully updated to module 1533.3. Neither system is pulling down the security update via Microsoft Update. Either the registry entries are not there and/or not being read by Windows (I will check to confirm later), or MS is not pushing the update through the Microsoft Update app channels yet. Please advise. Thank you!

[itman 1,746]

3 hours ago, howardagoldberg said:

Marcos ... I have ESET AV x64 installed on a Win10 1709 system and a Win7 SP1 system. Both systems successfully updated to module 1533.3. Neither system is pulling down the security update via Microsoft Update. Either the registry entries are not there and/or not being read by Windows (I will check to confirm later), or MS is not pushing the update through the Microsoft Update app channels yet. Please advise. Thank you!

Same here. Reg. key update exists and Eset module shows 1533.3. Manually checked for updates and none available.

Note that Microsoft's recommended manual install for the update differs from what @Phoenix posted: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 .

I also wonder if Microsoft is only offering the update initially via Windows Update to PCs w/Intel CPU's that are most vulnerable to this issue?

Edited January 4, 2018 by itman

[itman 1,746]

FYI: https://twitter.com/x0rz/status/948832798391066624 . My AMD Phenom build shows only CVE-2017-5715 - Rogue Data Cache Load vulnerability.

Quote

AMD says there’s a “near-zero” risk to its processors because of differences in its architecture, and Google does note that the Spectre vulnerability is harder to exploit.

https://liliputing.com/2018/01/inte...bilities-discovered-googles-project-zero.html

Additional ref.: https://www.amd.com/en/corporate/speculative-execution

I for one am "not going to lose any sleep" over this one. Also not going to force update via Win Catalog download since it makes kernel changes that could "come back to haunt you."

[cybot 1]

3 hours ago, itman said:

Same here. Reg. key update exists and Eset module shows 1533.3. Manually checked for updates and none available.

Note that Microsoft's recommended manual install for the update differs from what @Phoenix posted: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 .

I also wonder if Microsoft is only offering the update initially via Windows Update to PCs w/Intel CPU's that are most vulnerable to this issue?

i have a 1st gen i7 and the update was not pushed to me. I don't know if it was because the required regkey was not present in the system or not. but after installing the update(s) as instructed above, I then activated defender's periodic scan feature, and updated the signatures for that. the key then appeared in the registry. I tried getting the module update for eis, but it would not update till this morning, at which point the key was already present. I am assuming that if i had activated the periodic scan and updated defender prior to installing the update, it would have installed the key before hand, and possibly the update would have gotten pushed to me via windows update. this needs to be tested, obviously....

[howardagoldberg 14]

Try checking now ... it looks like it was released via Microsoft Update at 1:00 p.m. Eastern, which make sense given the normal release pattern that MS follows.

[cybot 1]

I am on west coast USA, so by 11pm 1/3/18 i should have had it available. but it wasn't

[cyberhash 194]

48 minutes ago, cybot said:

I am on west coast USA, so by 11pm 1/3/18 i should have had it available. but it wasn't

This particular update seems to have a very strange availability pattern. I received it not long ago here in the UK 19:00 GMT on my desktop PC, but it's still not available on my laptop on the same network. Just the matter of waiting a little longer i guess

[itman 1,746]

I  suspect this update is hardware dependent. Suspect Microsoft rolling out the update to all devices w/Intel CPU's since they are the most vulnerable.

2 hours ago, cyberhash said:

but it's still not available on my laptop on the same network

What type CPU is installed on the laptop?

[cyberhash 194]

2 minutes ago, itman said:

I  suspect this update is hardware dependent. Suspect Microsoft rolling out the update to all devices w/Intel CPU's since they are the most vulnerable.

What type CPU is installed on the laptop?

Desktop is an i7 and the laptop is an i5. Why i found it strange why there was a difference in the timing, just got the laptop update about 30 mins ago . Guess there is some strange reason behind it we will never know

[Aryeh Goretsky 386]

Hello,

I've just posted "ESET's response to Meltdown and Spectre CPU vulnerabilities" so that everyone can keep track of ESET's responses.

As for Microsoft's update to Windows, please keep in mind that Microsoft often rolls these out in stages.

Regards,

Aryeh Goretsky

[Poil 0]

I had nod32 v10.x I was unable to apply this update. Nod32 was saying that I'm uptodate ... but no v11.x is here.

I've updated manually, now I can install kb4056892

[RikStigter 0]

Yesterday I updated my five systems to V11.x and scanner module 1533.3 (20180104). All systems are running NOD32 (x64), just one (1) updated through 'Windows update' to KB4056892. All systems were running OS build 16299.125 before these attempts, i.e. they were fully patched Fall Creator's Update including those for December 2017.

Checking the registry on all other (i.e. save the one that updated correctly) systems shows that ESET ('s update) correctly applied the key-change in the registry, but Windows Update still won't apply said Cumulative Update for January 3 2018. What's (slightly) more worrying is that I cannot apply those patches manually as well ( In my case: windows10.0-kb4056892-x86_delta_45f3a157eb4b4ced11044f6c462f21ec74287cb5), which of course I should be able to do.

There still seems to be a bit of work to do, either by MS or by ESET.

[Aryeh Goretsky 386]

Hello,

Microsoft rolls out big updates in stages, so you may have to wait a bit.  You might want to check with Microsoft support to see if there are any additional prerequisites or blockers other than security software which might be affecting your deployment.

Regards,

Aryeh Goretsky

 

5 minutes ago, RikStigter said:

Yesterday I updated my five systems to V11.x and scanner module 1533.3 (20180104). All systems are running NOD32 (x64), just one (1) updated through 'Windows update' to KB4056892. All systems were running OS build 16299.125 before these attempts, i.e. they were fully patched Fall Creator's Update including those for December 2017.

Checking the registry on all other (i.e. save the one that updated correctly) systems shows that ESET ('s update) correctly applied the key-change in the registry, but Windows Update still won't apply said Cumulative Update for January 3 2018. What's (slightly) more worrying is that I cannot apply those patches manually as well ( In my case: windows10.0-kb4056892-x86_delta_45f3a157eb4b4ced11044f6c462f21ec74287cb5), which of course I should be able to do.

There still seems to be a bit of work to do, either by MS or by ESET.

 

[Aaron Stevens 0]

@ESET,  any plans to force all running NOD32 to update to latest version? I've found it takes >6 months for the auto-update to grab and install the next version milestone - some of my systems are still on v10. Due to the severity of this exploit I cannot agree with the delayed NOD32 rollout in this case, it must be forced with the updated regkey so Windows Update can apply the patch, otherwise myself and others who use ESET will have to visit family members PC's to update NOD32 manually, which is inconvenient.

Edited January 5, 2018 by Aaron Stevens

[Marcos 5,259]

On 1/5/2018 at 12:02 PM, Aaron Stevens said:

Due to the severity of this exploit I cannot agree with the delayed NOD32 rollout in this case

Neither Meltdown nor Spectre vulnerabilities have nothing to do with the version of the ESET product that you have installed. All ESET products would protect you equally in case there's an actually malware exploiting the vulnerability.

[spaceharfang 0]

2 hours ago, Marcos said:

Neither Meltdown nor Spectre vulnerabilities have nothing to do with the version of the ESET product that you have installed. All ESET products would protect you equally in case there's an actually malware exploiting the vulnerability.

The catch is not in the detection of malware using those vulnerabilities.  For which you are right.

The catch is that from this date onward, a registry key needs to be present to install the latest cumulative patch from Microsoft.  It is so because a significant incompatibility between antivirus and the fix for the Meltdown and Spectre vulnerability. The antivirus installer puts the key to indicate the antivirus was successfully tested with the Meltdown/Spectre patch.

In short, you end up with that choice. Push early the latest version of antivirus that is tested with the patch OR delay the installation of future Windows patches.
The greater risk is in the delaying the future Windows patches.

[Marcos 5,259]

6 hours ago, spaceharfang said:

The catch is that from this date onward, a registry key needs to be present to install the latest cumulative patch from Microsoft. 

As already mentioned in other topics on this forum, ESET released an update on Jan 4, a few hours after Microsoft announced the availability of the patch. I was referring to the concern of the user above that with v10 installed he is not as well protected against possible malware exploiting the recently discovered vulnerabilities as he would be with v11.