/build/static/layout/Breadcrumb_cap_w.png

KACE SMA (K1000) | Spectre & Meltdown Analysis

01/09/2018 update: added a Report and another CIR.
01/12/2018 update: updated the script to use the current script version of today (1.0.4)  > Download
                                Scriptchangelog from Microsoft:
                                        Added message directing users to explanation of output
                                        Addressed feedback regarding multiple CPUs when setting $cpu 
02/02/2018 update: corrected & updated the vulnerable report. Added a new report with secured devices.
                                Vulnerable Report: Download
                                Secured Report: Downlaod

For an official statement from quest please visit: https://support.quest.com/kb/237193

Hi all, 

here a quick blog to check the hardware vulnarabilities CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 or better known as Spectre and Meltdown.
I am using the Microsoft security guidance ADV180002 as base script with KACE modifications. 

The outcome of this blog will be that you can easily see, filter, report and label all your Windows clients higher than Windows 7 SP1 or Server 2012 R2 which are vulnerable or secure against Spectre and / or Meltdown. To archive this we first need a script. 

The script can be found in the downloaded "Spectre_Meltdown.zip".
If you need assistance to import it to your KACE SMA (K1000) please feel free to contact me. 
cpu01.png

The script will create the logfile: "C:\Windows\Logs\KACE_CPU_Check.log" and rewrite it every time. 

To have the posibility to search, label and report these data we need a CustomInventoryRule.
The can be found in the downloaded "Spectre_Meltdown.zip".
cpu02.png

After that you should be able to filter everything like you know to do it. 
Enabled protections appear in the output as "true".

Example for filtering for vulnerable devices:
cpu03.png
If you go to the details you would see that this device is vulnerable against both.
cpu04.png


Now you want to check with one click which devices are vulnerable and compatible to get patches through patching. To do that we first need again a custom inventory which checks if the compatibility registry key is available.This can also be found in the downloaded "Spectre_Meltdown.zip".


The next step is to import the two reports which are stored in the the downloaded "Spectre_Meltdown.zip". The first report will show all vulnerable devices. The second report will list all devices which are secure.
You can modify / add / delete everything wihtin the scripts, custom inventories or SQL-Reports. 
If you rename your custom inventory rules change the names in the SQL query too.


Cheers Timo


Comments

  • Note for Symantec Endpoint Protection users: you probably can't install Microsoft patches released after January 3rd 2018 (witch may include fixes for the Meltdown and Spectre vulnerabilities) due to an issue with the ERASER driver:
    https://support.symantec.com/en_US/article.TECH248545.html

    Here is a quick custom inventory rule to check your machines for the ERASER driver version:

    ShellCommandTextReturn(reg query HKLM\SYSTEM\CurrentControlSet\Services\eeCtrl\Parameters\Clients /v /f EraserUtilDrv*)

    If this includes "EraserUtilDrv11730", what seems to be the latest version of the ERASER driver now (January 9th 2018) you should be able to install these Microsoft updates.

    Installation of compatible ERASER drivers (comes through a definition update by the way) seems to set the QualityCompat-registry value (https://support.microsoft.com/en-hk/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software) - chrpetri 3 years ago
    • Thanks for sharing chrpetri!
      I double checked and my private device with Symantec Endpoint Protections Small Business Edition already got the update and the registry key.
      Regards
      Timo - Timokirch 3 years ago
  • Great stuff Timo! - jamie_kace 3 years ago
  • Thank you so much for the scripts Timokirch.
    I have imported the scripts and have enabled and ran the "Meltdown & Spectre Analysis" script and am ready to run the "Spectre & Meltdown vulnerable and ready to patch" report, but pardon my ignorance, how do I use the CustomInventory Software packages you created? - Shock 3 years ago
    • Hi Shock,
      after you imported the custom Inventory Packages you'll find them in "Inventory/Software" section if you search for "Inventory" (that's the name i gave them). They wil be checked at each inventory. Please double-check the "Supported Operating Systems" setting to match your enviroment. These inventory settings will be checked then on every device inventory. There is nothing more to do because the report will automaticly use the data from theses inventory rules. If you want to double check the results you can go to the device details and check the "custom inventory fields" section.
      Regards
      Timo - Timokirch 3 years ago
  • Ideas on when we should see these patches available in the security area of the K1000? - DLCurtis 3 years ago
    • Hi DLCurtis,
      you already should see the Patches in your catalog.
      Regards
      Timo - Timokirch 3 years ago
      • Hi Timo, under which category/sub category would I find the patch? - adrianK 3 years ago
      • Hi adrianK,
        you can find the the Mircosoft Patches released in January in your Patchcatalog- make shure that this is up to date. Dell Bios Updates should be available as soon as Dell puts them into ther packages. Until now they are availabnle for deployment here:

        http://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products?lang=en

        http://www.dell.com/support/article/de/de/debsdt1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en

        Regards
        Timo - Timokirch 3 years ago
      • You can create a patch smart label for the patches mentioned by Microsoft at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002#ID0EGB

        SELECT
        Unix_Timestamp(KBSYS.PATCHLINK_PATCH.RELEASEDATE) AS DATEPOSTED_SECONDS,
        KBSYS.PATCHLINK_PATCH.IS_APP,
        KBSYS.PATCHLINK_PATCH.IMPACTID AS DESCRIPTION,
        KBSYS.PATCHLINK_PATCH.RELEASEDATE AS DATEPOSTED,
        KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED,
        KBSYS.PATCHLINK_PATCH.DESCR,
        KBSYS.PATCHLINK_PATCH.ID AS BID,
        KBSYS.PATCHLINK_PATCH.UID AS UID,
        KBSYS.PATCHLINK_PATCH.IDENTIFIER AS BULLETINID,
        KBSYS.PATCHLINK_PATCH.STATUSID AS STATUS,
        KBSYS.PATCHLINK_PATCH.TYPE,
        KBSYS.PATCHLINK_PATCH.VENDOR,
        PATCHLINK_PATCH_COUNT.UNPATCHED,
        Year(KBSYS.PATCHLINK_PATCH.RELEASEDATE) AS DATEPOSTED_YEAR,
        PATCHLINK_PATCH_COUNT.PATCHED,
        KBSYS.PATCHLINK_PATCH.TITLE,
        KBSYS.PATCHLINK_IMPACT.IMPACT_SEQ,
        PATCHLINK_PATCH_STATUS.STATUS AS PATCH_STATUS,
        KBSYS.PATCHLINK_PATCH.CACHE_SIZE AS CACHE_SIZE,
        KBSYS.PATCHLINK_PATCH.ID AS TOPIC_ID
        FROM
        KBSYS.PATCHLINK_PATCH
        LEFT JOIN PATCHLINK_PATCH_COUNT ON PATCHLINK_PATCH_COUNT.PATCHUID = KBSYS.PATCHLINK_PATCH.UID
        JOIN KBSYS.PATCHLINK_IMPACT ON KBSYS.PATCHLINK_IMPACT.IMPACT = KBSYS.PATCHLINK_PATCH.IMPACTID
        LEFT JOIN PATCHLINK_PATCH_STATUS ON PATCHLINK_PATCH_STATUS.PATCHUID = KBSYS.PATCHLINK_PATCH.UID
        WHERE
        KBSYS.PATCHLINK_PATCH.VENDOR LIKE '%Microsoft%' AND
        KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED = '0' AND
        ((KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056890%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056893%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056892%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056891%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056895%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056568%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056894%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056888%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4057114%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4057113%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4058560%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4058559%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4057118%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4058561%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4057122%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4058562%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056897%') OR
        (KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056898%')) - chrpetri 3 years ago
  • My AV vendor is not updating the registry key so we have to do it via KACE. I have a script that is working correctly but I am wondering if a reboot is required to have KACE see the new key. Anyone know? Thanks - eric.samuelson 3 years ago
    • Hi Eric,
      can you double-check that you wrote the regkey to HKLM64? If you use the default HKLM KACE will use the 32 bit registry.
      Regards
      Timo - Timokirch 3 years ago
      • Hi Timo,
        We are using HKLM64.
        Set “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat”.
        Set “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat!cadca5fe-87d3-4b96-b7fb-a231484277cc” to “0x00000000”.

        It seems to set it correctly but KACE does not detect it until we do a reboot. Is a reboot normally required?

        Thanks - eric.samuelson 3 years ago
      • Hi Eric,
        Kace should detect the key (if set correctly) after an inventory of the device and with my CIR imported. Can you double-check what happens if you set the key manualy?
        Regards
        Timo - Timokirch 3 years ago
  • Thanks a lot for this very helpful article!! - jmast 3 years ago
  • Hi Timo,
    I am kind of new at using KACE and was wondering if you could give me some assistance on how to import the Spectre/Meltdown report you created on a KACE 1000?
    I would like to run a report to see what machines do not have the KB files installed.
    Doing some research I found the following KB files that need to be installed:

    KB4056892
    KB4056897

    Thank you.
    Jon. - Stikino 3 years ago
    • Hi Jon,
      welcome to the KACE team :)

      Importing is realy easy - just follow the guidlines here: https://support.quest.com/technical-documents/kace-sma/8.0/administrator-guide/74#TOPIC-829006

      If you need a special report for your listed KB's then you can reuse the SQL-Statement posted by chrpetri above. Here you can find a detailed guide to save this report to your appliance: https://support.quest.com/technical-documents/kace-sma/8.0/administrator-guide/191#TOPIC-829475

      If there is anything unclear or still help needed ask you local sales rep from quest or you local distribution partner to get in touch with us.

      Best regards
      Timo - Timokirch 3 years ago
      • Great. I will give it a try.
        Thanks for your help greatly appreciated.

        Best,
        Jon. - Stikino 3 years ago
      • Hi Timo,
        I too am kind of new at using KACE, but we also have a network issue that prohibits us from turning on the Samba share. Would it be possible to share the text of this, such that I can recreate the scripts?

        Thanks, Duane - Duane 3 years ago
      • I also have problems importing the spectre_meltdown_1_0_4.kpkg. Where can I ask help? - AlexTheGreat 3 years ago
  • I got the script running on our K1000 but the log file doesn't have the details. Only shows this and nothing in between when transcript start and stops. We're still on k1000 6.4

    **********************
    Windows PowerShell transcript start
    Start time: 20180117095621
    Username :
    Machine : (Microsoft Windows NT 6.1.7601 Service Pack 1)
    **********************
    **********************
    Windows PowerShell transcript end
    End time: 20180117095624
    ********************** - anonymous_138311 3 years ago
  • Great work Timo,

    I'm having an issue with the script. It ran on some computers, but failed for 90% with the error message:

    Running as SYSTEM
    Import-Module : The 'C:\ADV180002\SpeculationControl.psd1' module cannot be imp
    orted because its manifest contains one or more members that are not valid. The
    valid manifest members are ('ModuleToProcess', 'NestedModules', 'GUID', 'Autho
    r', 'CompanyName', 'Copyright', 'ModuleVersion', 'Description', 'PowerShellVers
    ion', 'PowerShellHostName', 'PowerShellHostVersion', 'CLRVersion', 'DotNetFrame
    workVersion', 'ProcessorArchitecture', 'RequiredModules', 'TypesToProcess', 'Fo
    rmatsToProcess', 'ScriptsToProcess', 'PrivateData', 'RequiredAssemblies', 'Modu
    leList', 'FileList', 'FunctionsToExport', 'VariablesToExport', 'AliasesToExport
    ', 'CmdletsToExport'). Remove the members that are not valid ('RootModule'), th
    en try to import the module again.


    Any ideas?


    Thanks! - antz96 3 years ago
    • Hi antz96,

      I had the same error at first but found in zip file the SpeculationControl.psd1 file has a line RootModule = 'SpecuationControl.psm1'. This is a feature of newer versions of Powershell. But if you comment out and add or change the line to ModuleToProcess = 'SpeculationControl.psm1' then the script should work on machines with both older and newer versions of Powershell. - anonymous_138311 3 years ago
      • Hi periwinkle,

        Thanks for the help. I made that change, but I'm still getting the same error. I make the changes in the \\k1000\client\PAYLOAD directory, correct? - antz96 3 years ago
      • antz96

        You have to go into the script, under Dependencies, download SpeculationControl_KACE.zip. Make the change periwinkle outlined, save the SpeculationControl.psm1 file then zip the contents back up. Now back under the script delete the old SpeculationControl_KACE.zip and upload your edited one. - NateCanDo 3 years ago
      • Hi everyone,
        sorry for the delayed answer. Thank you all very much for these informations and workarounds you have shared. I will modify the script on friday and reupload it as ready to use package.
        Best Regards
        Timo - Timokirch 3 years ago
  • Tim,

    Even with periwinkle's workaround, I still get most of my machines that fail while running the script. If I view the logs of the "failed" runs, however, it appears that it has run correctly, the script just doesn't write the contents to the KACE_CPU_Check.log file. Here are the contents of the script log of a "failed execution" machine:

    Running as SYSTEM
    Transcript started, output file is C:\Windows\Logs\KACE_CPU_Check.log
    Speculation control settings for CVE-2017-5715 [branch target injection]
    For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
    Hardware support for branch target injection mitigation is present: False
    Windows OS support for branch target injection mitigation is present: False
    Windows OS support for branch target injection mitigation is enabled: False
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: False
    Windows OS support for kernel VA shadow is enabled: False
    Suggested actions
    * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
    * Install the latest available updates for Windows with support for speculation control mitigations.
    * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
    BTIHardwarePresent : False
    BTIWindowsSupportPresent : False
    BTIWindowsSupportEnabled : False
    BTIDisabledBySystemPolicy : False
    BTIDisabledByNoHardwareSupport : False
    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : False
    KVAShadowWindowsSupportEnabled : False
    KVAShadowPcidEnabled : False
    Transcript stopped, output file is C:\Windows\Logs\KACE_CPU_Check.log
    Creating process returned non-zero: C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\370\kace5329.bat : (0) The operation completed successfully.
    Error Code: 0
    Status Code: 1
    Activity Log

    verify - on_verify_success
    verify - on_verify_failure
    verify - file_unzip
    Unzipping file: C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\370\SpeculationControl_KACE.zip C:\ADV180002
    verify - launch_program
    Launching program: 'C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\370\kace5329.bat' '' wait='true'
    Debug Log

    Running kbot: runkbot 370 1516640153
    KBotScript::LogScriptInfo - Start
    id=370 name=Meltdown & Spectre Analysis version=1516640153 type=policy
    execute disconnected=false logged_off=true
    execute events
    KBotScript::LogScriptInfo - Finish
    KBotScript::LogScriptInfo - Start
    id=370 name=Meltdown & Spectre Analysis version=1516640153 type=policy
    execute disconnected=false logged_off=true
    execute events
    KBotScript::LogScriptInfo - Finish
    KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\
    CleanupDependencies: file kace5329.bat is part of the dependency list, keep the file
    CleanupDependencies: file C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\kace9023.bat is no longer needed, clean it up
    CleanupDependencies: file C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\kace_cpu.ps1 is no longer needed, clean it up
    CleanupDependencies: file C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\SpeculationControl.psd1 is no longer needed, clean it up
    CleanupDependencies: file C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\SpeculationControl.psm1 is no longer needed, clean it up
    CleanupDependencies: file SpeculationControl_KACE.zip is part of the dependency list, keep the file
    runkbot ----- launching [path='C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\370' program='kace5329.bat' parms='' wait='true'] -----




    And here are the contents of his KACE_CPU_Check.log:

    **********************
    Windows PowerShell Transcript Start
    Start time: 20180122105836
    Username : DOMAIN\SYSTEM
    Machine : *pc name removed* (Microsoft Windows NT 6.1.7601 Service Pack 1)
    **********************
    **********************
    Windows PowerShell Transcript End
    End time: 20180122105837
    ********************** - NateCanDo 3 years ago
    • I had the same problem with the KACE_CPU_Check.log as you after I figured out the import-module error that antz96 also got. The SpeculationControl.psm1 file has Write-Host which works great when ran from PowerShell console. I did some searching and found some stackoverflow posts about Write-Host were saying the write-host cmdlet writes to console. Since kbot script runs with no console there's no output for the transcript. One workaround I did was change the Write-Host to Write-Output and removed the foreground color parameters, removed any Write-Host without any text to prevent errors.

      Then in the batch file I change the part that runs powershell to output to file like this:

      Powershell.exe -executionpolicy RemoteSigned -Command "& C:\ADV180002\kace_cpu.ps1 > C:\Windows\Logs\KACE_CPU_Check.log"

      Finally in the kace_cpu.ps1 file I removed the parts for start-transcript and stop-transcript.

      The text in the log file came out looking like this. A little more condensed but the output came out correct:
      Speculation control settings for CVE-2017-5715 [branch target injection]
      For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
      Hardware support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is enabled: False
      Speculation control settings for CVE-2017-5754 [rogue data cache load]
      Hardware requires kernel VA shadowing: True
      Windows OS support for kernel VA shadow is present: False
      Windows OS support for kernel VA shadow is enabled: False
      Suggested actions
      *
      Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
      *
      Install the latest available updates for Windows with support for speculation control mitigations.
      *
      Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119


      BTIHardwarePresent : False
      BTIWindowsSupportPresent : False
      BTIWindowsSupportEnabled : False
      BTIDisabledBySystemPolicy : False
      BTIDisabledByNoHardwareSupport : False
      KVAShadowRequired : True
      KVAShadowWindowsSupportPresent : False
      KVAShadowWindowsSupportEnabled : False
      KVAShadowPcidEnabled : False

      I'd post screenshots or upload my files but don't know how to do that here. - anonymous_138311 3 years ago
      • Thank you periwinkle. That fixed it for me. Like you said, the output is condensed but the info is there. - NateCanDo 3 years ago
      • I am also having this issue. I tried to make the recommended edits, but still the results are only in the script failure report. Is it possible to copy/paste the sections with changes? I probably have a syntax error somewhere. I am running script as Domain Admin

        Batch file:
        =====================
        @echo off
        cd C:\ADV180002
        Powershell.exe -executionpolicy remotesigned -File C:\ADV180002\kace_cpu.ps1
        set folder="C:\ADV180002"
        cd /d %folder%
        for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
        cd C:\
        IF EXIST "C:\ADV180002" (
        rmdir "C:\ADV180002" /s /q
        )
        ============================
        kace_cpu.ps1:

        Import-Module .\SpeculationControl.psd1
        $ErrorActionPreference="SilentlyContinue"
        # Stop-Transcript | out-null
        $ErrorActionPreference = "Continue"
        # Start-Transcript -path C:\Windows\Logs\KACE_CPU_Check.log
        Get-SpeculationControlSettings
        # Stop-Transcript

        ============================
        Script Activity Log:

        verify - on_verify_success
        verify - on_verify_failure
        verify - file_unzip
        Unzipping file: C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\168\SpeculationControl_KACE.zip C:\ADV180002
        verify - launch_program
        Launching program: 'C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\168\kace5836.bat' '' wait='true'

        ==============================
        Script Debug Log:

        Running kbot: runkbot 168 1518213877
        KBotScript::LogScriptInfo - Start
        id=168 name=Meltdown & Spectre Analysis version=1518213408 type=policy
        execute disconnected=false logged_off=true
        execute events
        KBotScript::LogScriptInfo - Finish
        KBotScript::LogScriptInfo - Start
        id=168 name=Meltdown & Spectre Analysis version=1518213408 type=policy
        execute disconnected=false logged_off=true
        execute events
        KBotScript::LogScriptInfo - Finish
        KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\168\
        CleanupDependencies: file kace5836.bat is part of the dependency list, keep the file
        CleanupDependencies: file SpeculationControl_KACE.zip is part of the dependency list, keep the file
        runkbot ----- launching [path='C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\168' program='kace5836.bat' parms='' wait='true'] ----- - cbranson 3 years ago
  • Is anyone working with systems that have Bitlocker enabled? How are you suspending it before applying these patches? Id love to make it a fully automated process but Im thinking it might be more of a manual process:

    - create a script to suspend it via powershell (or CMD)
    - Apply updates
    - Bitlocker should turn itself back on after BIOS updates and reboot

    Does anyone know of a way to combine both Scripting and Dell Updates into one? Or do we know specifically if Dell Updates does this for us if detected? - davidgellner 3 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ