Intel Bug Meltdown/Spectre Win 10 Update - Contact your Anti-Virus AV to confirm

[REDACTED]

PC in my company does not have direct access to the Internet
The Internet receives through the proxy server squid
settings are taken from IE through wpad settings
antivirus is updated via mirror Avast Enterprise Administration 8.0.405

I give direct access to the Internet test PC
launched the file c:\Program Files\AVAST Software\Avast Business\AvastEmUpdate.exe

I noticed that there was a log in the folder c:\ProgramData\AVAST Software\Avast\AvastEmUpdate.ini
in him
[Config]
LastAppliedPatchId = 381

And in folder new two files c:\Program Files\AVAST Software\Avast Business\ 
AvastEmUpdate.exe.sum
AvastEmUpdate.exe.bak.10567838635595355225

In the folder new file  c:\Program Files\Common Files\avast software\overseer\overseer.exe

I rebooted the PC
and checked the updates via WSUS and…… yes! Update is view!

I noticed that in the task scheduling there is a task to start AvastEmUpdate.exe automatically when you turn on the PC
I registered in the gateway direct access to the update servers avast (I will not post a list of networks here because I do not know if this is allowed)
two - three reboots and my PC view update KB4056892, KB4056891 and released after
Later I'll try to update my PC via WSUS

[REDACTED]

I was able to install patch KB4056892 via WSUS

[SeReB]

In case your computers are not directly connected to the internet and Windows Update channel is therefore unavailable, you have to use other supported channel to get the hotfix. Also, depending on your OS version, the hotfix might not be available via Windows Update.

Please refer to January 2018 Windows operating system update schedule table for more information about available channels. Anyway the released hotfixes are always available via Catalog.

[REDACTED]

Hi,

strange thing, yesterday we've also found out the that proxies and the Avastemupdate.exe is one important problem.
It looks like that there were done some microcode updates or whatever else as add on to the registry entries and in our case
also the problem because we can't get any patches via wsus offline or wua api calls.
Today i've sent a high priority case to the emea support an our german sales manager to get further information about this process and/or a fix which we can deploy of our own because we can't open all connections for our 1500 servers only why Avast isn't able to work properly with proxies and so on.

@SeReB:
You're right that some special Microsoft updates are only available via the catalog server but that's not the general goal in this case. The problem is that we have or fordiegolg e.g. is that it worked without any problems with WSUS Online but NOT with WSUS offline or WUA api calls like many 3rd party vendors are using. For this case you need a fix to deploy the Avast's update manually, fix Avastemupdate.exe to use a proxy and the manin topic, inform at least business users about these hidden operations that costs a lot of time and money while contacting L2/L3 of other vendors like Microsoft Premier...

Further on i've linked now your comments to the appropriate people of Avast which are responsible for us which sadly also didn't know these kind of information !

[SeReB]

It looks like that there were done some microcode updates or whatever else as add on to the registry entries and in our case

There are two ways to have the MS hotfix required registry keys installed.
1) registry keys are created by emergency updates (avastemupdate.exe), but this requires a direct connection to Avast's update servers. There could be a delay up to 24 hours (update window interval), unless avastemupdate.exe is run manually. (Can use /debug parameter to see more information about the process.)
2) registry keys are created by regular virus definition updates of Endpoint Protection business products (which is the suitable way for machines behind mirror).

These two options' results are equivalent. Once the keys are present, all prerequisites of the hotfix are done, and we do not cooperate further neither (intentionally) interfere with the Windows update mechanism. I have personally tested the scenario with machines connected only to a mirror machine, and the hotfix was delivered and installed properly. Therefore I think the problem is not in a way how AV delivers the registry keys. As manually creating the registry keys does not solve the situation, it strengthens my suspicion the problem is not in AV, but in WU.

Therefore our support is going to reach out to you to provide more detailed information from the affected systems in order to find any reference of a problem in Windows/WU that could be accidentally caused by Avast AV, plus the option to allow the upgrade IPs.

[REDACTED]

This is not related to the keys in the registry.
the key was set when the avast was installed and stayed with the avast remove.
in all tests the key was present in the registry
without a micro patch obtained through avastemupdata update via WSUS or WU does not work

Avastemupdata should have derect access to the Internet because he can not update through the mirror AEA or other

PS
I'm talking about this key
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”


>>>Avast isn't able to work properly with proxies
This is true. New bug in windows 1709 https://forum.avast.com/index.php?topic=215594.0

[REDACTED]

Fordiegolg that's absolutely right. The main problem is that a lot of versions and/or components of Avast's software are not proxy capable.
As mentioned before and as the Avast guys already know the emergency updater is one part of it, but at least in our case the regular vps pattern updates didn't set ALL of these registry settings and therefore we've fighted against this problem up to yesterday afternoon. For me it looks like that the mirror fix automatically applied at end of january has a bug. The general MS/Meltdown key was set that's right, but NOT the QualitCompat key on the ASWVMM section.
>HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters\QualityCompat - Reg_Dword "1"<
And in our case this was the problem. We've fixed it now as a workaround while deploying a script on all 1500 machines. (but btw. it don't solve the problem for similar updates for the future). Therefore i've contacted the business support again for a real solution...
Sorry guys the main problem is definitely in AV and NOT in WU...

Only one strange side effect was existing before, yes we had sometime troubles with the old wsus offline cab, direct connection to the internet and those 2 keys and therefore investigation was also difficult for us because for a short time it was a combination of three factors. But with the newest WSUS offline cab these symptoms are gone for sure. (i'm still waiting on a feedback of the L2 MS Premier engineer due to this problem, probably he could gave me some information about that)
But 95% of the problem was forced due to the missing ASWVMM key...

[SeReB]

This is not related to the keys in the registry.

Yes, that is exactly what I was trying to say in the previous comment. The problem is not related to the registry keys. The updates deliver just the keys, nothing else. It is true, that the update through avastemupdate does set the aswVmm\parameters\QualityCompat key, while the VPS update does not.

without a micro patch obtained through avastemupdata update via WSUS or WU does not work

There is no micro patch applied. The avastemupdate utility upgrades itself first, then the new one applies the registry keys. Nothing else is patched.
That is why more debug data from your WU/WSUS configuration was requested, so it would show us why the update is not offered.

>HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters\QualityCompat - Reg_Dword "1"<
And in our case this was the problem.

This is Avast's registry key. You should not set the value manually. If you have added it manually, check also, that you have OtherVMMs key present, otherwise you might get BSOD after restart!

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\aswVmm\parameters]
"OtherVMMs"=hex(7):61,00,76,00,67,00,76,00,6d,00,6d,00,00,00,61,00,73,00,77,00,\
  76,00,6d,00,6d,00,00,00,00,00
"QualityCompat"=dword:00000001

I will get back as soon as I know more what the key is meant for.

[REDACTED]

?
Yes you're right that it is Avast's key, but it is the key that was automatically set by your AVASTEMUPDATE.exe on a system that is working. So what ?
The "OtherVMMs" key you've mentioned is on ALL systems REG_MULTI_SZ with value data "avgvmm aswvmm" !!??

There's on NO system the key with your values. (also where avastemupdate worked and had direct internet access)
Btw. we are working with AVAST Enterprise Protection Suite AEA 8.0.405 and a managed client 8.0.1609 on 1500 SERVERS, i'm not sure whether we are talking about the same product.
At the moment i've set the same key as it was on the machines that are working. If you really still believe that your key is missing?, please explain why it is on none of the systems that were updated automatically ?...

[REDACTED]

And again..
I've found the next bug or better reason why your emergency updates sometimes didn't work in real life.
In my case i'm also working with a 10 user EPS for my own beside our 1500 license in our company. Today i wasn't able to update at least one of my system anymore(in this case a windows 8.1). What a surprise, the aswvmm key was missing again. Tried to set it, didn't work.
Not while using UAC but while using "self defense" of Avast. Deactivated it and could set the key manually again, set self defense again. Restarted the machine and what a surprise. Updates are working again without any problems, rebooted my machine. Still no BSOD....
While doing the work that Avast should do....
Why isn't Avast able after 5 weeks to fix all of these Meltdown related bugs in EPS and whereever ?

[SeReB]

If you really still believe that your key is missing?, please explain why it is on none of the systems that were updated automatically ?...

Why isn't Avast able after 5 weeks to fix all of these Meltdown related bugs in EPS and whereever ?

I have requested the details about the extra registry key and because the SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat key can be written by any software and not by the possibly incompatible AV software, Microsoft has requested additional vendor-specific requirements for certain AV versions in order to consider AntiVirus software compatible. Unfortunately we were not aware of that requirement being applied also to SOA/EP.

We are going to release a VPS update that is going to add the required QualityCompat=1 key and will enable the machines behind a mirror to receive the MS hotfix. We are very sorry for the delay in the MS hotfix delivery.

[REDACTED]

Perfect news!