Disclaimer: SciVision and Michael Hirsch, Ph.D. provide these links and information to raise community awareness for qualified information security professionals, without liability for incorrectness or incompleteness of this information. Blindly copying and pasting commands can lead to drastic personal and corporate loss of information and availability.
You should refer to the Microsoft WannaCry Critical Security Bulletin MS17-010, Microsoft Malware Protection Center on WannaCry and Microsoft TechNet blog post.
Per Microsoft, WannaCry attacks SMBv1 Servers. The sections below disable SMBv1 protocol based on Microsoft procedures. That is, PCs that are simply sitting unattended and unused by humans can be infected by WannaCry attacking SMBv1 on port 445. The ability for unattended PCs SMBv1 to be attacked on local networks is particularly hazardous as proven for healthcare and industrial facilities being disabled.
disable SMBv1 server
This is where the WannaCry vulnerability comes in. You must also patch your system.
Disable SMBv1 server by:
run from PowerShell as Administrator
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
reboot the PC
disable SMBv1 Client
Disable SMBv1 client by :
run from Command Prompt as Administrator:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled sc.exe config mrxsmb10 start= disabled
reboot the PC
Verify System Patches
This technique has the weakness that each operating system version has unique KB numbers, so you need to run this uniquely for each operating system version. Consider scripting this to try several KB numbers and return code on success for further automation. The KB numbers are are obtained from Microsoft Security Bulliten
Here’s an example for Windows 7 64 bit from Command Prompt as Administrator:
dism /online /get-packages | findstr KB4012212 dism /online /get-packages | findstr KB4012215
If it’s installed, a message is printed starting with
Package Identity :
As a general rule, I set Windows computers to have Network configuration as below. This disables network file shares, network printing, etc., which is fine for me since I only use Windows computers when forced to for isolated instrumentation. This alone won’t protect you from WannaCry, but is a general practice I take on.