Kerry DeVilbiss

SMBv1 Protocol Status (for WannaCry prevention)

Recommended Posts

The WannaCry ransomware attack has been a topic of much discussion in the last few days - and a source of much consternation for system administrators. One of the attack vectors used by WannaCry to spread is a vulnerability in the SMBv1 protocol commonly included with Windows operating systems.

This embedded PowerShell datasource reaches out to Windows devices in a LogicMonitor account, and runs the "Get-SMBServerConfiguration" command (available only in Windows Server 2012 and newer) to see if SMBv1 is enabled, and if it is, it will generate a Warning alert for that device (caveat: SMBv1 is enabled by default, this has the potential to generate A LOT of alerts.) We understand that many affected systems will be older than Windows Server 2012 - here is some Microsoft-provided information on how to triage those older operating systems. 

The datasource name is SMBv1_Protocol_Enabled and has lmLocator FWJKKX.

Edited by Kerry DeVilbiss
clarity

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.