SMBv1 WannaCry Detection and Mitigation

Disclaimer: SciVision and Michael Hirsch, Ph.D. provide these links and information to raise community awareness for qualified information security professionals, without liability for incorrectness or incompleteness of this information. Blindly copying and pasting commands can lead to drastic personal and corporate loss of information and availability.

You should refer to the Microsoft WannaCry Critical Security Bulletin MS17-010, Microsoft Malware Protection Center on WannaCry and Microsoft TechNet blog post.

Per Microsoft, WannaCry attacks SMBv1 Servers. The sections below disable SMBv1 protocol based on Microsoft procedures. That is, PCs that are simply sitting unattended and unused by humans can be infected by WannaCry attacking SMBv1 on port 445. The ability for unattended PCs SMBv1 to be attacked on local networks is particularly hazardous as proven for healthcare and industrial facilities being disabled.

disable SMBv1 server

This is where the WannaCry vulnerability comes in. You must also patch your system.

Disable SMBv1 server by:

  1. run from PowerShell as Administrator

     Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
    
  2. reboot the PC

disable SMBv1 Client

Disable SMBv1 client by :

  1. run from Command Prompt as Administrator:

     sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled
    
     sc.exe config mrxsmb10 start= disabled
    
  2. reboot the PC

Verify System Patches

This technique has the weakness that each operating system version has unique KB numbers, so you need to run this uniquely for each operating system version. Consider scripting this to try several KB numbers and return code on success for further automation. The KB numbers are are obtained from Microsoft Security Bulliten

Here’s an example for Windows 7 64 bit from Command Prompt as Administrator:

dism /online /get-packages | findstr KB4012212

dism /online /get-packages | findstr KB4012215

If it’s installed, a message is printed starting with Package Identity :

Notes

As a general rule, I set Windows computers to have Network configuration as below. This disables network file shares, network printing, etc., which is fine for me since I only use Windows computers when forced to for isolated instrumentation. This alone won’t protect you from WannaCry, but is a general practice I take on.

Windows 7 network services config
Windows 7 network services config. This disables network printers and file servers.

Categories:

Updated: