What is the implication of MS17-010 patch and SMBv1 deactivation related to WannaCry? Does it remove the malware or just stop it from propagating?

9

1

I googled a lot about this but could not find the answer.

I would like to understand if patching Windows with the MS17-010 update will prevent WannaCry malware from installing/executing or just prevent the malware (once installed on a certain PC and therefore infecting it) from propagating through the intranet?

Also, if the MS17-010 patch is properly installed, are there any benefits from disabling SMBv1 too? Or MS17-010 patch itself can be considered enough?

Last question/doubt: before disabling SMBv1, how to be sure that this will not affect network performance/reliability?

Antony

Posted 2017-05-20T08:59:40.430

Reputation: 193

2

Official word from Microsoft's storage team regarding SMBv1: Stop using SMBv1.

– user1686 – 2017-05-20T11:14:18.527

Thank you @grawity, that definitely clarified my doubts about disabling SMBv1. – Antony – 2017-05-20T11:31:31.960

Answers

11

First, a little preface. The MS17-010 patch is included in all the update rollups for Windows 7, 8.1 and 10 from March onwards. So if you have the April or May (or newer) rollup updates installed, you don't need (and won't have installed) the specific KB-number linked to the MS17-010 patch.

However, if you've elected to install only security-only updates, then you will specifically need to have the March one installed. Unless you've specifically chosen this path, you should be on the rollups. Safest bet is just to let Windows update everything until it says it's up to date.

This is actually the case for all security patches now, not just this one.

will prevent WannaCry malware from installing/executing

The MS17-010 patch does nothing to stop the ransomware itself. If you download the exe and run it, it'll still do its thing and encrypt your files. For example, the primary infection vector on most networks was through email attachments, IIRC. This is nothing new for ransomware.

However, the worm portion of the program is what facilitates its spread through networks. This attacks the SMBv1 implementation on the destination computer, i.e. the computer the worm is spreading to, not from.. Therefore, the MS17-010 patch must be installed every Windows machine on the network.

Generally, NAT or firewalls at the network edge prevent spread through the internet.

just prevent the malware (once installed on a certain PC and therefore infecting it) from propagating through the intranet

The patch does nothing to help an already-infected computer. It's only useful if installed on the other non-infected computers on the network.

are there any benefits of disabling SMBv1 too?

Not directly for WannaCry/EternalBlue, as the MS17-010 patch fixes this particular hole. However, defense in depth would suggest disabling SMBv1 anyway unless you need it, as it reduces the attack surfaces and minimises damage should there be another currently-unknown SMBv1 bug. Given that Vista and newer support SMBv2, there should be no need to keep SMBv1 enabled unless you need to share files with XP. I hope that's not the case.

before disabling SMBv1, how to be sure that this will not affect network performance/reliability?

The most obvious effect is you will no longer be able to use Windows file sharing with any XP systems.

As per the link grawity posted and the comments there, this might prevent your computer from showing up in or using the "network" list. You can still access them by typing in the \\computername and see them listed using homegroups (or Active Directory in a business environment).

The other exception as called out in that blog post is older network photocopiers/scanners that have "scan to share" functionality might not support a modern SMB protocol.

Bob

Posted 2017-05-20T08:59:40.430

Reputation: 51 526

Thank you very much Bob. As I understand both the MS17-010 patch and SMBv1 deactivation are useful to prevent another PC to infect mine on the same network. So what approach could be used to detect WannaCry (or similar) in time to prevent it from installing on my PC directly (e.g. from mail attachment)? Is Malwarebytes or any other up to date antivirus program enough? Is there a specific utility you would advice? – Antony – 2017-05-20T11:23:48.213

@Antony Unfortunately, there isn't any way to cover all bases. A real-time antivirus program would give you some level of protection, but I believe the only good solution is to have the user be careful of what they open - at the end of the day, those emails are an attack via the human. And, of course, having backups (disconnected from the PC, e.g. on a portable HDD, or Crashplan/Backblaze if your internet connection is good enough) will help you recover from such an attack if one happens to get in by a different bug. – Bob – 2017-05-20T11:35:02.167

@Antony Just to be clear - antivirus/malware programs are useful against known attacks they recognise a signature for, but will take some time before they can detect the newest attack. There's also heuristic-based detection but that's unreliable. – Bob – 2017-05-20T11:36:29.873

Asked: 2017-05-20T08:59:40.430

Viewed: 3 951 times

Active: 2017-05-20T12:22:33.733