New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

It's Windows 7 x64. I will try to find what's the reason for that in my virtual machine when I get some time.

 

Same here as I just posted in the previous reply.

 

To disable SMB protocol, all versions. For Win 7 / 8.1 / 10:

 

I have tried that what petok posted, some days ago on Win-7. It didn't work, at least on my end for whatever reason. That doesn't have to mean that it will also not work on other systems!
And then I restored a backup image.

 

Guess and hope you are talking to your own scenario only.
This solution works.

 

BTW that MS article "How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server" has last been reviewed now on 20 May 2017 (revision 32). Whether there were changes made on the article, I don't know.
https://support.microsoft.com/en-us...smbv2-and-smbv3-in-windows-and-windows-server

 

Hi Mister X,
Yes, I was only talking about my situation.
I didn't want to offend anyone !!

Edit: I have edited that post to tell that it didn't work on my system, and that that doesn't have to mean that it will also not work on other systems.

 

These attacks are not a surprise at all to me. I'm sure the NSA has been using these exploits for a long time. What I don't understand is why it took so long to discover them.

I warned Eset about how dangerous SMB is, two years ago. The wording for their IDS settings sounded like they were allowing incoming connections by SMB to Admin Shares, Remote Registry, etc..IMO it was a bad description of the settings on Eset's part, but I thought my eyeballs were going to pop out when I looked at the default settings! lol

I don't know why any home user would ever want to allow connections to Admin Shares, Remote Registry, etc., without being prompted, and if they are in Automatic Mode they will not receive prompts. I was informed that, "all non-initiated incoming communication attempts are blocked", but how can you determine that it's not an attacker initiating the connections. I think it would be safer to operate in Interactive Mode. https://forum.eset.com/topic/4693-lots-of-allowed-services-in-esets-firewall/#comment-26923

 

FYI - in Win 10, access to admin shares is automatically denied in non-domain environments. You have to perform a registry hack as noted here: http://www.tomsitpro.com/articles/windows-10-administrative-shares,2-47.html to do so.

 

Yes, on Win 7 too. Remember to runas admin cmd prompt and restart system.



https://support.microsoft.com/en-us...smbv2-and-smbv3-in-windows-and-windows-server

 

It sounds to me that they are monitoring only outbound connection but leave inbound blocking to windows firewall. So if attacker from network would try to exploit SMB flow, it would be blocked by Windows firewall which has incoming packets to SMB ports blocked.
Personally I would probably block it in ESET's settings also.

 

Eset uses it's own packet filter driver, independent of Windows Firewall to monitor inbound, and outbound traffic unless this just recently changed.

 

I was quoting Marcos from forum thread that you posted:

 

Sorry I posted a wrong link. This is correct: https://support.microsoft.com/en-us...smbv2-and-smbv3-in-windows-and-windows-server

Updated on May 19, 2017. Look down at the bottom.
So it's not useless.

 

OK, I got it. So Add/Remove programs method is only available on Windows 8.1 and 10. For Windows 7 sc.exe config is the way to do it.

 

Yes. Anyways, do it in all cases from cmd sc.exe config, no need of add/remove method.

 

Yes, I've done it after not finding it in add/remove section. I didn't know that option was not present on Windows 7 and thought that I somehow removed it when tweaking my system.

 

I know it might be kinda confusing on Windows 7. However you've got your answer now.

HTH.

 

Yes, thanks for clarifying.

 

About the revision of that MS article: already posted in reply 33