Bundaburra

Turning off protection for Spectre and Meltdown

Recommended Posts

There is a suggestion in the Feb 25 issue of the AskWoody newsletter that the protection provided by Microsoft could be turned off, via the InSpectre tool from Steve Gibson.  Apparently  an improvement in overall performance can be achieved by turning this off.

Does Emsisoft Anti Malware provide adequate protection against these, or would we be better advised to leave it turned on?

Share this post


Link to post
Share on other sites
On 2/26/2019 at 5:40 PM, Bundaburra said:

Does Emsisoft Anti Malware provide adequate protection against these, or would we be better advised to leave it turned on?

I'm fairly certain that no security software can provide adequate protection against these vulnerabilities, especially since they are generally exploited through otherwise trustworthy software running remote scripts (such as web browsers).

 

On 2/26/2019 at 5:40 PM, Bundaburra said:

Apparently  an improvement in overall performance can be achieved by turning this off.

The performance gain would be minor. The amount that the patches effected performance was extremely dependent on the number of users on the system, and thus terminal servers and certain "cloud" hosting servers suffered the greatest performance impact (maybe 15% to 20%). For the average home user, I would believe the estimated reduction in performance was 5% or less. Admittedly the conditions under which the patches caused performance reduction may have been different for each patch, as there were a number of different vulnerabilities related to similar CPU technologies, and of course one or more patches for each of those vulnerabilities in order to try to mitigate them.

 

If you want to play with the mitigations for these vulnerabilities to test the performance differences of the system, then I recommend making an image of the disk first, that way you have something to restore the system from when you're done or if anything goes wrong.

  • Upvote 1

Share this post


Link to post
Share on other sites

I have a Haswell cpu in one desktop and the speed slowdown is a big problem. Only use it once a week. I disabled the protection the last time I used the machine. What I noticed, 

is that the first time I run Chrome or another program it is very slow to load. Fast if I open it again. I guess because some of the program is not cleared from memory when program shutdown. I was looking for the Microsoft patch, but it is not shown. Might be because the patch was installed in an earlier version of Win 10. It is on 1809 now. This weekend when I fire it up, I will find out if the slowdown is still there.

KB4482887 is not installed, at least not in 1809

Share this post


Link to post
Share on other sites
8 hours ago, Ken1943 said:

What I noticed, is that the first time I run Chrome or another program it is very slow to load.

That's because, once you launch Google Chrome, Windows keeps it cached in RAM. It's called "Standby Memory". You can view how much of your RAM Windows is using for this in Resource Monitor (remon.exe).

Google Chrome is actually notorious for being slow to launch, and has been since long before the Spectre and Meltdown vulnerabilities were discovered.

 

8 hours ago, Ken1943 said:

KB4482887 is not installed, at least not in 1809

It was released yesterday. It's a cumulative update, and it includes an update to the Spectre v2 mitigations that makes them more efficient by replacing Microsoft's method for mitigating the issue with one developed by Google. I highly recommend leaving the mitigations turned on, and installing this update since you're on 1809.

I have a Haswell CPU as well (Core i7 4770K), and I installed the update yesterday. In addition to the system seeming more responsive, I noticed that Anthem ran a bit smoother with slightly less CPU usage (although I still have to keep its framerate capped at 60 to keep it from having issues due to too much CPU usage).

Keep in mind that CPU's with Haswell cores were first released in 2013, and compared to more modern processors they aren't nearly as powerful. I would believe also suffered more of a performance impact from Intel's own microcode updates than newer CPU's. Keep in mind though that the performance impact hit systems with multiple users harder than it did systems with only one user.

Share this post


Link to post
Share on other sites

I also run a  i7 4770K also and the hit was bad. I just picked on Chrome, but could see the problem with other programs. Sometimes I wonder about the "panic" with some of the malware. Let's face malware will never end !!

Share this post


Link to post
Share on other sites
1 hour ago, Ken1943 said:

Sometimes I wonder about the "panic" with some of the malware.

This wasn't about malware. This was about serious vulnerabilities in processors that could have exposed information from any running process. This information could include anything you had open at the time the vulnerabilities were exploited. Financial information, password databases, browser history, etc. And it is exploitable from within a web browser, so all you'd have to do is visit a malicious website.

As I said, I highly recommend leaving the mitigations turned on. Microsoft's latest patch for the Spectre v2 mitigations (released March 1st) does help with performance issues.

  • Like 1

Share this post


Link to post
Share on other sites

I am confused with this patch. 

I heard about the MS update which I never got. Have it now, just have to install it.

 >There wasn't a bios/microcode update for my Asus mobo that I could find unless the patch from GRC.com was supposed to fixed the problem. <

I didn't pay much attention to the warning last year & was waiting for a bios update which never came.

Asus doesn't update 4 year old mobo's I guess.

So I am between a rock and no place  !!! lol

Share this post


Link to post
Share on other sites
23 hours ago, Ken1943 said:

>There wasn't a bios/microcode update for my Asus mobo that I could find unless the patch from GRC.com was supposed to fixed the problem. <

I didn't pay much attention to the warning last year & was waiting for a bios update which never came.

Asus doesn't update 4 year old mobo's I guess.

ASUS didn't publish BIOS updates for my motherboard either, however Microsoft included Intel's microcode updates in Windows Updates once they felt it was safe to do so. Unless you have Windows Update turned off, then you almost certain have the microcode update.

 

23 hours ago, Ken1943 said:

I am confused with this patch. 

I heard about the MS update which I never got. Have it now, just have to install it.

You mean the new one (KB4482887) from March 1st, 2019 that adds retpoline support to Windows 10?

It's a little different from your average patch, as it doesn't necessarily take effect right away. Microsoft explains it better at this link, but basically they are slowly turning the feature over time rather than is automatically enabling once the patch is installed. That allows them to delay enabling it for most users, just in case there are issues with the patch. If you have it installed, and want to ensure it's on now, then open an elevated Command Prompt and run the following commands:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x408
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400

 

You can open an elevated Command Prompt quickly in Windows 10 1809 by right-clicking on the Start button, selecting Windows PowerShell (Admin), typing cmd into the blue window that opens, and then pressing Enter on your keyboard. You can paste a command into the Command Prompt (or PowerShell) by right-clicking in its window. Be sure to press Enter on your keyboard to execute commands after pasting them. Be sure to restart your computer after running these commands.

Note that you can run those commands directly in PowerShell without needing to execute cmd first. Traditionally commands such as reg don't display normal output in PowerShell like they do in the Command Prompt, although Microsoft may have resolved that issue by now.

BleepingComputer has an article covering turning on retpoline at the following link, which includes .reg files you can import to make turning it on easier:
https://www.bleepingcomputer.com/news/security/boost-windows-10-performance-with-retpoline-spectre-mitigation/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.