0

Scenario:

  • Update patches are not available
  • Mail access is not available (which means no clicks on malacious links)

Will disabling File and Printer Sharing protocol in individual Network Adapter Settings act as a primary defense against Wannacry (SMB/EternalBlue based exploit)?

I was just wondering if this method actually worked for shared file system propagation exploit systems. Can someone confirm/clarify if this work?

Stevoisiak
  • 13,555
  • 39
  • 101
  • 154
Glitch
  • 384
  • 2
  • 4
  • 17
  • *"Update patches are not available"* If you don't mind me asking, why not? – Run5k May 14 '17 at 14:53
  • For computers that are on a public network but don't have access to the internet because of subscriptions. For example my ISP uses peer-based networking. But the internet subscription can run out. And that wont mean that your computer is disconnected from other peers in the network. – Glitch May 14 '17 at 14:56
  • 1
    No; It's not enough; You need to install the patch, then within the registry, disable SMBv1 but without the patch your still vulnerable. It would be trivial to write malware that enables SMBv1 then spreads itself. – Ramhound May 14 '17 at 14:59
  • You can potentially download the patch from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx), burn it to a CD-R and install it on those machines. – Run5k May 14 '17 at 15:01
  • 1
    I am doing this against my better judgement, please install the patch, [How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server](https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012) – Ramhound May 14 '17 at 15:02
  • My computer already has the patches installed. I was going to try and infect a clean VM from an infected VM. Just a bit of curiosity toward doing defense testing using this exploit's penetration capabilities. Although I still have to find a source infected file for this. – Glitch May 14 '17 at 15:08
  • 1
    The fact you don't know of a source for this malware tells me you shouldn't be playing with it. Please do the web a favor and don't infect a VM, which could in theory, infect more machines unless you properly isolate both the host and the VM, even if you do that, you will chnage the behavior of the worm itself because it adapts it's behavior if it's on an internal network – Ramhound May 14 '17 at 15:48
  • 1
    I clearly asked the question in the wrong community. People are too bent on whats right and whats not when i clearly mentioned that Im going to try penetration testing. I wouldnt do that unless i knew how to isolate a vm in a security sandbox. I appreciate your input but please dont add unnecessary information unless its related to or has the answer to what I asked. And please dont 'tell' yourself anything about me. – Glitch May 14 '17 at 21:04

2 Answers2

1

Let me post a documented answer to respond the question (or at least mostly).

It is informed in the Microsoft Security detailed report that for those legacy systems without updated Windows Defender, neither the updated patch kb4012598 has been applied yet, there are only two workarounds:

  • Disable SMBv1 ...
  • Block incoming SMB traffic on port 445 ...

I believe the above answer from MS should answer your question.

JCM
  • 348
  • 3
  • 8
0

PowerShell:

$netBTParametersPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" 
IF(Test-Path -Path $netBTParametersPath) { 
    Set-ItemProperty -Path $netBTParametersPath -Name "SMBDeviceEnabled" -Value 0 
} 
Set-Service lanmanserver -StartupType Disabled 
Stop-Service lanmanserver -Force

More details How to disable feature that opened port 445 on windows by PowerShell

frank
  • 1,656
  • 1
  • 9
  • 3
  • Please do not post the same answer to multiple questions. If the same information really answers both questions, then one question (usually the newer one) should be closed as a duplicate of the other. You can indicate this by [voting to close it as a duplicate](https://superuser.com/help/privileges/close-questions) or, if you don't have enough reputation for that, [raise a flag](https://superuser.com/help/privileges/flag-posts) to indicate that it's a duplicate. Otherwise tailor your answer to this question and don't just paste the same answer in multiple places. – DavidPostill May 18 '17 at 07:51
  • I did not ask about how to fix it. I asked about the network protocol that is hijacked and used for propagation of the infection, and if that is indeed the protocol then would shutting it down cripple any attempts to infect via it. – Glitch May 21 '17 at 08:44