AV-Comparatives Blog - Proactive Protection for WannaCry

[UPDATE#1: Forgot to add that ESET has some standalone tools to check computers are patched for the CVE-2017-0144 vulnerability:

PowerShell script - https://github.com/puodzius/Check-EternalBlue
VBS script - https://github.com/eset-la/Check-EternalBlue
Windows program - http://support.eset.com/alert6442/​

The download link for the latter is located in the orange box midway down the page. AG 20170519 09:51PM GMT-8]

Hello,

A quick update from ESET's side of things: There's been a lot of information being shared in the news about this particular piece of ransomware, and due to the nature of that, you sometimes see conflicting reports--that's the nature of any fast-paced story where things tend to evolve and change very quickly as new discoveries are made and old assumptions invalidated.

I think it would be helpful to break this down into two parts, the first being the CVE-2017-0144 vulnerability in the SMBv1 protocol that was patched by Microsoft in MS17-010. The exploit for this vulnerability is commonly referred to as ETERNALBLUE, and was reportedly developed by the NSA and leaked by the ShadowBrokers gang.

The program code for this exploit is identified by ESET as Win32/Exploit.Equation.EternalBlue.A and is categorized as a trojan. Detection of this trojan is in all ESET desktop and server programs (NOD32, ESET Smart Security, ESET Endpoint and Server programs, etc.) for Windows, Linux and macOS:

Threat encyclopedia description: Win32/Exploit.Equation.Eternalblue.A
Threat database detection: 15265 [Apr-24-2017, 22:02 UTC/GMT +02:00]
​

Now, if that ETERNALBLUE program code is run, it then generates a malformed packet, which allows for arbitrary code execution. This packet is the actual ETERNALBLUE exploit.

This packet is categorized as network threat by ESET and is blocked via the network protection module. It is detected as CVE-2017-0144_eternalblue as of April 24, 2017. The network protection module is in the following ESET programs (and versions):

ESET Endpoint Security v6
ESET Smart Security v9 (and newer)
ESET Internet Security v10
ESET Smart Security Premium v10​

So, that's the part about the CVE-2017-0144 vulnerability and its ETERNALBLUE exploit.

The second part of this is the Win32/Filecoder.WannaCryptor.D ransomware, which makes use of the exploit to attack unpatched/unprotected computers. Detection for that was added on May 12th in all of ESET's desktop and server programs. Here are the specifics for that:

Threat encyclopedia description: Win32/Filecoder.WannaCryptor.D
Threat database detection: 15404 [May-12-2017, 13:20 UTC/GMT +02:00]
Cloud database detection: [May-12-2017, 11:26 UTC/GMT +02:00]​

To date, we are still in the process of collecting information about the spread of this ransomware, but so far ESET's US office hasn't received any reports from customers being affected by the CVE-2017-0144 vulnerability or the Win32/Filecoder.WannaCryptor.D ransomware, just lots and lots of questions about it.

Regards,

Aryeh Goretsky

 

Does anyone know how Total Defense IS would do against WannaCry?

 

I'd be very surprised if there was an anti-virus or anti-malware program on the planet that wouldn't detect WannaCry today. The question is how well it detects zero-days on the day.

 

Thanks.

 

Thank you @Aryeh Goretsky for detailed explanation.

 

Hi Aryeh,

Thank you very much for your posting. Really appreciated!!

This part I still don't understand. The "network protection module" is also in NOD32. It is in NOD32 (like in the other Eset programs you mentioned). It is, besides of course the "Virus signature database" and the "Rapid Response module", the most frequently updated module in NOD32. I'm confused. I'm just guessing now: is the "network protection module" working in a different way in NOD32 compared to the other programs you mentioned?
I guess I have to upgrade from NOD32 to ESET Internet Security (after about 15 years using NOD32 ).

 

ClamAV

 

Since neither ESET NOD32 Antivirus nor ESET Endpoint Antivirus contain the firewall module, the network protection module in these products is limited to protocols supported by these products, ie. HTTP(S), IMAP(S) and POP3(S).

 

Seriously?

 

just joking, i didn't even tried to verify

 

Well it may do so unintentionally without a signature for it because of its excessive false positives.

 

hahaha exactly , i admit, i'm biased towards ClamAV, it s my favorite victim

 

Thank you, Marcos, for explaining it. Really much appreciated !!

 

I know at least one: http://www6.cmcinfosec.com/product since they just released new ransomware-proof tool called CryptoShield (sound familiar, right?) to protect their business users

 

OK cool, but to me it's more interesting to know that it couldn't detect WannaCry. I mean, what if it had infected the system via user download/install?

 

lol never heard of this one, and i am in Vietnam lol , what about BKAV

 

I have just tested wannacry dropper and it fails to encrypt files set to read only, obviously. So if you have any backups stored on a local computer, setting it read only should protect it.

 

A "WannaScanner" available for download here: http://www.bkav.com.vn/Tool/CheckWanCry.exe - Because no one in this industry can ignore this "opportunity"

 

hahahaha , i know what you mean

 

When ransomware guys provide better customer support than most companies

http://www.taiwannews.com.tw/en/news/3161826

 

That is exactly what it appears to have done since no one can find an e-mail source for it. And even if it was delivered via e-mail, that is still a download.

 

FYI - Specific SMB protections provided in Eset Smart Security IDS processing per Eset help documentation:

Additionally, Eset's IDS allows for blocking of all incoming traffic to admin shares in SMB protocol or the ability selectively disable some or all of the incoming RPC communication over SMB remote connection capability.

 

Thanks itman!!

 

Actually, in news reports they mentioned that WannaCry normally gets delivered via email, and if the users runs it, it will be spread via the Windows SMB exploit. So this means that at least one PC would have been infected if ESET was installed, or am I misunderstanding?

 

If you can find a source that has definitively found an e-mail delivering WannaCry, please post it. Initial reports speculated it might be an e-mail delivery. Later reports from sources that had examined their phishing e-mail honeypots stated they couldn't find a trace of WannCry.