The Anti-virus Times

Monday, February 5, 2018

I am particularly interested in the topic of
shared folders. If I use Dr.Web and an infected
computer capable of modifying files in my
shared folder connects to it, will Dr.Web
protect my system?

A comment left on the issue An anti-virus
should always be toggled on

A bit of history The SMB protocol, which facilitates access to shared folders in Windows, was designed by Microsoft. Because the idea of sharing data proved to be worthwhile, the SMB was later adopted by other operating systems. For example, the software package facilitating access to shared folders under Linux is called Samba. And access to folders of this kind is protected by Dr.Web for Unix Server (Samba).

No similar product exists to protect shared folders under Windows—it’s simply not needed. As a matter of fact, Dr.Web anti-viruses for Windows (including Dr.Web Security Space) protect the entire system (unless the user excludes some of its components from scanning) and don't discriminate between shared folders and other directories. Files that appear in shared folders (e.g., copied by users over a network) are scanned just like any other files. Dr.Web Security Space provides sufficient protection from malicious files that can potentially be written into shared folders.

However, Linux Free BSD and other similar operating systems operate in a different fashion. Samba operates independently of other modules. That's why Dr.Web for Unix Server (Samba) only protects files being written or read from shared folders, nothing more. Another product must be used to protect other files on the server or PC.

Why are shared folders dangerous? Their very existence alone poses a threat, and the fact that they appeared a long time ago only makes things worse. Because the SMB protocol’s development has always been ongoing, the first version of it is now considered obsolete, and no vulnerability patches are released for it. Yet in Windows the option to create shared folders is enabled by default: the corresponding services operate and ports remain open—the computer can readily access shared folders on other machines and devices. These include legacy systems which use obsolete versions of the protocol. Thus your machine can be accessed over a protocol containing vulnerabilities. It is ready to receive malicious files, and you are completely unaware of it. Someone was bound to discover a vulnerability of this kind, and eventually that happened. That's how the WannaCry outbreak began.

We already mentioned that anti-viruses intercept all the files that appear in shared folders. More precisely, they intercept everything arriving on a computer, including data received over the SMB. And the WannaCry outbreak proved just that. No user whose system was protected by Dr.Web was affected by the infection—the anti-virus exposed all the new files penetrating systems via the loophole.