Security Tool: Implement registry keys per Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Version 7

    Purpose

    Microsoft lifted the AV compatibility check related to the Spectre/Meltdown vulnerabilities for all patches released since January Patch Tuesday. All related definitions were modified in this release to reflect Microsoft's changes.

     

    Instructions

     

    You will be creating a Scan Template and Patch Group to specifically target this Security Tool.  This will allow you to scan with automatic deployment without having to worry about installing other Security Tools we offer.  We will be offering 2 Security Tools, one to implement the registry keys and another to remove the registry keys.

     

    • IVA18-001 Q4072698: This tool enables the fix for ADV180002
    • IVA18-001 Q4072698U: This tool disables the fix for ADV180002

     

    Creating the Patch Group

     

    A Patch Group contains a list of patches you can use to use as a baseline (to scan for) or use to exclude from scan results. We will be using a Patch Group as a baseline to scan for IVA18-001 Q4072698.

     

    1. Navigate to New > Patch Group.  Enter a Name for the Patch Group and optionally a Description. Click Save.

     

    2. Search for IVA18-001 or 4072698. Right-click on the Security Tool IVA18-001 Q4072698 and choose Add to Patch Group then choose the Patch Group you created.

     

    3. The Patch Group is created and can be added to the Patch Scan Template, close the Patches window.

     

    Creating the Patch Scan Template

     

    The Scan Template, along with your new Patch Group will help you scan for the new Security Tool.

     

    1. Navigate to New > Patch Scan Template

     

    2. Give the Scan Template a Name, matching the Patch Group Name is advisable.

     

    3. In the Baseline or Exceptions section, choose Baseline and check-mark your Patch Group. (no other filtering is needed)

     

    4. The Scan Template should look similar to this:

     

     

    5. The Patch Scan Template is created, Click Save.

     

    Scanning for the Security Tool

     

    The setup is complete, you can use your new Patch Scan Template to scan for the new Security Tool IVA18-001 Q4072698. The Security Tool will show missing on systems that do not have the registry keys on them and can be deployed like a regular update.  A reboot is required.

     

    Additional Information

     

    • The target systems need to be restarted after running the Security Tools to enable or disable the registry keys for the changes to take effect.
    • You can follow these instructions to scan for the uninstall Security Tool by creating a Patch Group including the IVA18-001 Q4072698U version of the tool.

     

    Affected Product(s)

     

    Ivanti Patch for Windows Servers 9.3.x

    Shavlik Protect 9.2.x