Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Your anti-virus should always be on

Read: 1681 Comments: 3 Rating: 8

It’s an interesting game. You connect an unpatched
Windows PC to the network and wait to see what
gets downloaded faster — the latest update or a virus.

https://geektimes.ru/post/289153

The main reason the WannaCry Trojan has been successful is because of a vulnerability within the SMB v1 protocol (Server Message Block (SMB) version 1). The protocol, used to organize file sharing, allows applications to read and write files and also to request server software services on a computer network, i.e., to exchange data with any server program configured to receive SMB client requests. Using the SMB protocol, an application (or a user) can access a remote server’s files and other resources. Simply put, if you open access to a folder or use shared folders on other computers, the SMB protocol makes that possible.

This protocol exists in three versions. By default support for SMB 1.0 is enabled in Windows 10 and Server 2016 since computers that no longer support Windows XP or Server 2003 may be present in a local network. If no such machines remain in a network, in the current (i.e., supported) versions of Windows, it is desirable to disable the SMB 1.x protocol or to remove the driver completely. This will block attackers from accessing the many vulnerabilities present in this outdated protocol. In this case the shared resources will remain accessible: all the clients trying to access SMB shared files will use the newer and more functional versions of the SMB protocol.

Quite a number of methods can be used to disable support for the outdated protocol (https://support.microsoft.com/ru-ru/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server, http://winitpro.ru/index.php/2017/05/10/otklyuchenie-smb-1-0-v-windows-10-server-2016/). We will cite the simplest one:

  1. Open the Execute menu using the Win+R keyboard shortcut or the Start button.
  2. Input the "cmd" command, and click ОК.
  3. In the command line enter the command dism /online /norestart /disable-feature /featurename:SMB1Protocol

Attention! The command Dism is present in Windows 7 service pack 1 and higher. For earlier systems, you need to edit the registry to close access to the protocol.

Just for the sake of interest, we will cite a list of services that can also be disabled with this command:

Dism /Online /Disable-Feature /FeatureName:FaxServicesClientPackage /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64
Dism /Online /Disable-Feature /FeatureName:MicrosoftWindowsPowerShellV2 /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:MicrosoftWindowsPowerShellV2Root /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:MSRDC-Infrastructure /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:Printing-Foundation-Features /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:Printing-Foundation-InternetPrinting-Client /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:Printing-PrintToPDFServices-Features /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:Printing-XPSServices-Features /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:SearchEngine-Client-Package /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:WCF-TCP-PortSharing45 /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:MediaPlayback /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:WorkFolders-Client /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:Xps-Foundation-Xps-Viewer /Quiet /NoRestart

https://malwaretips.com/threads/how-to-disable-smbv1-in-windows-10-and-windows-server.71475/

I’m afraid that everything will break down and that none of my games will start. I'm not going to do that.

Disabling an obsolete protocol is unlikely to harm those not using outdated corporate systems at home.

However, if anyone is breathing a sigh of relief after installing the updates and removing the old protocol, it is too early to rejoice.

A critical vulnerability (CVE-2017-7494) was found that allows anyone to arrange for code to be executed on a server if they have write access to the storage provided by the server. The vulnerability allows a client to upload a shared library to the SMB storage and then get the server to start loading it. The problem is caused by an error implementing IPC for named pipes for Windows NT clients.

http://www.opennet.ru/opennews/art.shtml?num=46591

In simple words: If you have a writable shared resource, attackers can execute the needed code on the computer with the shared folder. Moreover, while WannaCry implemented a vulnerability that operates only in Windows, and while Linux and Mac owners did not come under attack, the new (not widely known, to be more precise) vulnerability at a minimum affects Linux.

Thus, the story of vulnerabilities goes on.

#Dr.Web #Linux #Windows #anti_virus #security #hack #hacking #Internet #Trojan #encryption_ransomware #ransomware

Dr.Web recommends

Vulnerabilities have existed, do exist, and will continue to exist. Moreover, the latest leaks show that security holes can frequently be used for a long time by a limited number of persons (e.g., the NSA), and you can’t protect yourself against them until they are made public. Security scanners and update installation systems will reassure you that everything's fine. Only an anti-virus can protect against penetration. Only it will react when new files appear in a system—no matter how they manage to smuggle themselves in there.

The main thing is to keep your anti-virus on!

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments