Until your anti-virus adds this Registry key, you aren’t getting any more Windows security updates

What a mess.

Graham Cluley
Graham Cluley
@[email protected]

Until your anti-virus adds this Registry key, you aren't getting any more Windows security updates

You’re security conscious. You’re aware of the threats. You like to run a tight ship.

You install the latest security patches, and – of course – you run an up-to-date anti-virus.

Well, things just got a heck lot more complicated for users of some anti-virus programs.

Sign up to our free newsletter.
Security news, advice, and tips.

That’s because Microsoft has said that customers who are running certain anti-virus products will not receive its bundle of January 2018 security patches (including mitigations against the Spectre and Meltdown CPU flaws) unless their products certify that they don’t make unsupported calls into Windows kernel memory.

According to Redmond, some security products jump through some hoops and perform double somersaults to bypass the Kernel Patch Protection built into the operating system. And unfortunately, those techniques, are incompatible with Microsoft’s latest patches – and cause computers to blue screen.

So, Microsoft is demanding that anti-virus products certify that their software work with its fixes by adding a registry key every time they startup.

The message from Microsoft is fairly blunt:

Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key

To be fair, Microsoft is caught between a rock and a hard place on this one. The last thing they want to do is roll out an update that causes computers to crash. It’s a painful decision, but if they can determine which computers don’t appear to be running a “safe” anti-virus program then they’re probably right not to push out security updates to that PC.

Anti-virus vendors have little choice. They will have to fix their products to fall into line, as customers won’t be satisfied with being blocked from receiving Microsoft security updates.

As always, care will need to be taken by security vendors that any fixes are made properly so as not to introduce other unintended problems.

More details of the issue can be found in this blog post by researcher Kevin Beaumont, including a link to a spreadsheet he is maintaining of which anti-virus products are setting the Registry key.

Now then, I wonder how long it will be until we see bad guys toggling the Registry key to stop PCs receiving security updates?

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Smashing Security #060: 'Meltdown, Spectre, and personal devices in the White House'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

9 comments on “Until your anti-virus adds this Registry key, you aren’t getting any more Windows security updates”

  1. JoelB

    "Now then, I wonder how long it will be until we see bad guys toggling the Registry key to stop PCs receiving security updates?"

    Grahame, I would suggest that if bad guys are already messing around in HKLM then you probably have bigger problems!

    1. Sveinbjorn · in reply to JoelB

      Editing these registry keys in a vulnerable pc would just be one more way to keep your malware persistent and silently keep this pc unpatched.

  2. BaliRob

    Meawhile …………..?

  3. Angie Jones

    I noticed that Comodo Internet Security, which I have installed on my HP Windows computer isn't on the spreadsheet sheet list to be sent a Registry Key. Does that mean it's compatible with the new updates?

    1. Graham CluleyGraham Cluley · in reply to Angie Jones

      All that we can infer is that the guy maintaining the spreadsheet hasn't created an entry for Comodo.

      I would recommend contacting Comodo technical support to discover what their status is.

      1. Angie Jones · in reply to Graham Cluley

        Hi Graham,

        Thank you for ur reply, that helped a lot! ????

  4. Adrian

    If no antivirus, Microsoft will not upgrade ? Or Microsoft needs an antivirus from eligible editors to upgrade ?

    1. Carol · in reply to Adrian

      It's like a flag. If your antivirus doesn't cause any issues( Blue screen of death ) then you get an OK flag ( register value ) and Microsoft servers will eventually recognize and download the update.

  5. Chris Pugson

    My Windows 7 system uses an AMD Sempron 3000 64-bit processor. The quality compatibility registry entry (protected by security policy) is present but there is still no January 2018 update of any kind. I expect 3 separate updates: the main security rollup, a .NET security and quality rollup and good old KB890830. Only two (I guess) components are intended to fix the Meltdown/Spectre issue. There are probably other unconnected critical updates but are they really affected by the kernel updates required for the processor bug fix?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.