Fidelis has released a script for Fidelis Endpoint customers that allows users to quickly query their environment to check for the existence of the OS patches in addition to the hardware mitigations and optimizations in relation to Spectre/Meltdown. This allows for quick reporting across all endpoints to check the coverage and installation of patches.
Fidelis Endpoint customers can get this script now from the Download Center.
Additional information re: detection of the Spectre/ Meltdown vulnerabilities by your existing AV (From the official Meltdown/Spectre site https://meltdownattack.com):
- Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.
- Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
As you may have heard there were three critical vulnerabilities discovered in Intel® and other processors recently. These vulnerabilities affect nearly every computer running on all different Operating Systems and platforms (Windows®, Mac®, Linux®, etc.). The vulnerabilities were dubbed “Meltdown” and “Spectre”. For more information regarding these, please visit the official documentation page at: https://meltdownattack.com or the SANS Spectre and Meltdown: What You Need to Know Right Now articles.
Microsoft® and others have recently issued patches to address these vulnerabilities, and Fidelis® understands how critical it is to get these implemented in your organization as quickly as possible. The purpose of this blog is to describe for you what we know at this time regarding Fidelis software as well as more general advice on the security steps you should take.
Regarding Fidelis Software
The Microsoft patches that were released in response to the vulnerabilities affect how Anti-virus (AV) software is able to interact with the underlying operating system. Some AV software packages may use undocumented structures that are changed in this patch. Microsoft requires AV vendors to certify that their AV solution will not cause problems when run with the patch installed. If the AV is not certified, then Microsoft’s Update system will not install the patches until the AV is updated. These patches can be installed manually without updating the AV.
Fidelis has certified the Fidelis AV add-on as safe with the Microsoft patches and has released a version of Fidelis AV that is certified as of January 5th. The Fidelis AV patch simply certifies to Windows that Fidelis AV will work if the Microsoft patch is installed. It does not contain any product feature changes, nor does it patch any vulnerability in Fidelis code or Microsoft code.
Endpoint customers that do not use the optional Fidelis AV add-on are encouraged to install the Microsoft patches as soon as possible according to their patch management policies.
Endpoint customers that do use the optional Fidelis AV add-on should download the patch from the Download Center and implement it before applying the Windows update to any endpoints with AV enabled.
Note: Endpoint Cloud customers have already had this patch applied to their systems, and do not need to take any action.
On-Premise Endpoint Customers
Endpoint customers with on-premises installations are encouraged to install Microsoft and other OS-level patches on the Endpoint servers as soon as possible according to their patch management policies.
In addition to the AV patch, Fidelis will be releasing a script package for use in Fidelis Endpoint that can be used to identify whether machines have had the Microsoft patches applied or not. The goal is to ensure all of your systems have been updated successfully.
Fidelis Network® customers running on hardware appliances from Fidelis
Fidelis development is actively reviewing all Fidelis Network software to determine if our software is affected by these vulnerabilities. Fidelis hardware appliances use Intel microprocessors and the vulnerability is in those devices. Fidelis network sensors, Collectors, and K2 (formerly CommandPost) are designed to only allow Fidelis software to execute on those appliances. The appliances do not reach out to the internet, and do not run any code that is not packaged by Fidelis. Hence, although we are still analyzing this, we believe that there is no real exposure to these vulnerabilities for our network appliances.
Fidelis Sandbox appliance is under investigation, but we anticipate needing to release a software patch.
Fidelis Network Customers running on VMWare®
Fidelis development is actively reviewing all Fidelis Network software to determine if our software is affected by these vulnerabilities when running on VMware. We will update you when we know more. Customers should apply security patches released by VMWare as soon as possible to protect their infrastructure. You can go here for the VMWare advisory: VMSA-2018-0002.
Fidelis Cloud Endpoint and Network consoles and collectors will be updated if it is determined that there is a vulnerability. No action by customers will be needed, however Fidelis will notify customers if components are patched.
Endpoint Cloud customers have already had the AV patch applied to their systems, and do not need to take any action.
Advice from Fidelis Threat Research on Meltdown and Spectre
As of now, we have not seen evidence of exploitation of these vulnerabilities in the wild, but we will continue to monitor for this in the coming days. At present, the only risk is for confidentiality of information in memory, there does not appear to be a direct path to remote code execution.
We expect that there will be attempts to leverage these vulnerabilities. Systems that process untrusted code are at particular risk. Firefox® specifically stated their testing shows malicious web pages could be crafted to exploit this, and there is no reason to believe that is not true for other browsers. Servers that do not run remote code and IoT devices that take minimal user input are, to a degree, less at risk.
While browser and operating system patches are available, many are reporting significant CPU performance hits to their systems. Spectre, in particular, is not fully addressed by OS patches as ultimately the long-term fix is still being explored.
Fidelis Threat Research will monitor the situation as it develops and deploy rules and indicators to protect against these threats as they develop.