SMBv1 Protocol Status (for WannaCry prevention)

Recommended Posts

  • LogicMonitor Staff

The WannaCry ransomware attack has been a topic of much discussion in the last few days - and a source of much consternation for system administrators. One of the attack vectors used by WannaCry to spread is a vulnerability in the SMBv1 protocol commonly included with Windows operating systems.

This embedded PowerShell datasource reaches out to Windows devices in a LogicMonitor account, and runs the "Get-SMBServerConfiguration" command (available only in Windows Server 2012 and newer) to see if SMBv1 is enabled, and if it is, it will generate a Warning alert for that device (caveat: SMBv1 is enabled by default, this has the potential to generate A LOT of alerts.) We understand that many affected systems will be older than Windows Server 2012 - here is some Microsoft-provided information on how to triage those older operating systems. 

The datasource name is SMBv1_Protocol_Enabled and has lmLocator FWJKKX.

Edited by Kerry DeVilbiss
Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.