SMBv1 Protocol Status (for WannaCry prevention)


Recommended Posts

  • LogicMonitor Staff

The WannaCry ransomware attack has been a topic of much discussion in the last few days - and a source of much consternation for system administrators. One of the attack vectors used by WannaCry to spread is a vulnerability in the SMBv1 protocol commonly included with Windows operating systems.

This embedded PowerShell datasource reaches out to Windows devices in a LogicMonitor account, and runs the "Get-SMBServerConfiguration" command (available only in Windows Server 2012 and newer) to see if SMBv1 is enabled, and if it is, it will generate a Warning alert for that device (caveat: SMBv1 is enabled by default, this has the potential to generate A LOT of alerts.) We understand that many affected systems will be older than Windows Server 2012 - here is some Microsoft-provided information on how to triage those older operating systems. 

The datasource name is SMBv1_Protocol_Enabled and has lmLocator FWJKKX.

Link to post
Share on other sites
  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.