Meltdown and Spectre – The chip bugs and Intercept X Early Access Program

As I hope you are all aware the computer world is dealing with a vulnerability at the chip level, and patches are going out.  The early access program for Intercept X is affected. If you are not on the EAP please see the Sophos Knowledge base article. https://community.sophos.com/kb/en-us/128053, and several news articles.

Current Sophos Shipping Products:

For customers running the current shipping Sophos Endpoint Standard, Advanced or Intercept X product no actions are required.

 If you exit the EAP your endpoint will revert to Intercept X current shipping and no changes are required.

 Machines in the EAP for Intercept X

If you want the Microsoft patch to auto install, you need to make the following registry change.

To enable auto download and install of the MS Patch confirm the following registry entry exists and is set.

Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”

Also see the Microsoft instructions

Security Advisory: ADV180002

AV Specific Info: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892?mkt_tok=eyJpIjoiWW1Sa04yRmxNRFV5WTJFeiIsInQiOiJQcElzMjV5YVRGSFlvUGhnZUN6bjdxc1JnK3hsWjFWNklzOWxUSk5DdDZhSmt5cjE1cWNZeTRYWnBkZUI4RHF0N1ZtMEQwQWc5bnF0ZzBNcU1ycHpmK1kzVkdHSW1XZlBHK1RcL0EzQ1RLcVh5bjlQVmdVck4yZStQRlZqMWNPbysifQ%3D%3D

 

For customers running Windows 10 Redstone 3 or 4

You will need to make an additional registry edit prior to applying the patch.

To get the Intercept X Sophos System Protector to run correctly we need to remove a registry setting.

 Steps:

- First from the administration console you need to disable tamper protection for the endpoint

- Next you will need to delete a registry setting for Sophos System Protector.

 Delete the WOW64 registry key for the Sophos System Protection Service. “HKLM\SYSTEM\CurrentControlSet\Services\Sophos System Protection Service”

NOTE: Once we release the updated Intercept X product all of this is resolved and no changes to registry settings will be required. 

Also if you are still experiencing issues, please respond to this discussion post or create a new question and we will assist.

 Thanks, Karl

  • Thanks for the information.  I did suffer the issue for a while before finding this article.

    Before removing the WOW64 key, when manually attempting to start the "Sophos System Protection Service" from the Services MMC snap-in, I was seeing this error message:

    Likewise, when using SC.exe, the same error 50 is returned:

    PS C:\WINDOWS\system32> sc.exe start "Sophos System Protection Service"
    [SC] StartService FAILED 50:

    The request is not supported.

    Also, the same message is in the System Event log when the service attempts to start:

    Log Name: System
    Source: Service Control Manager
    Date: 06/01/2018 10:10:45
    Event ID: 7000
    Task Category: None
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: LAPTOP-6QK47GT8
    Description:
    The Sophos System Protection Service service failed to start due to the following error:
    The request is not supported.
    Event Xml:
    <Event xmlns="schemas.microsoft.com/.../event">
    <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2018-01-06T10:10:45.713385900Z" />
    <EventRecordID>59141</EventRecordID>
    <Correlation />
    <Execution ProcessID="788" ThreadID="14368" />
    <Channel>System</Channel>
    <Computer>LAPTOP-6QK47GT8</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="param1">Sophos System Protection Service</Data>
    <Data Name="param2">%%50</Data>
    <Binary>53006F00700068006F0073002000530079007300740065006D002000500072006F00740065006300740069006F006E00200053006500720076006900630065000000</Binary>
    </EventData>
    </Event>

    Hopefully Google will index all this info to make searching for the errors easier to find.

    Regards,

    Jak