Comodo prevents WannaCry ransomware

and a blog i have written explaining how…

https://www.melih.com/2017/05/13/ransomware-prevention-yes-it-is-possible-yes-it-is-affordable/

That’s good to know Melih! For those on here still running Windows XP (and now you see why this is not wise) Microsoft have released a patch for Windows XP (and Windows 8 ) to close the SMB Server vulnerability that was patched on supported versions of Windows back in March.

See https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

No more than I would expect, which is a good feeling :slight_smile:

The patch prevents spreading within the org, but not point of entry infection and encryption as I understand it, unless you have the SMB ports open to the internet.

The high level of damage is due to the malware’s ability to spread within a network by an SMB exploit. I understand the malware gains entry to the org by someone opening an email attachment or link, though this is being confirmed. Also I suppose if you have SMB exposed onto the internet directly, that would do it too.

Also subject to confirmation, as an alternative to the patch, I understand you can also disable SMB version 1, by a simple registry change and reboot:

I guess this could also be appled ax an org via a group policy.

I mention this as MS’s servers were overloaded yesterday. Also this protocol version is I understand not much needed nowadays, and disabling it reduces your attack surface.

Tech summaries:

Kind regards

Mouse

Oh man ! Just got a pop-up announcement from CIS… to be honest it gave me a scare for a second there. I mean some red with black stuff with WannaCry in the middle… the first second there, my heart probably skipped a beat. My dear Melih, please don’t do that ;D. Ok, gonna go watch the video and read what you posted now.

P.S… didn’t liked not having the option to postpone and/or manually update my windows 10 when I want… now I’m starting to reconsider that.

Good to know that comodo’s auto-containment is protecting our files. :-TU

As I know Wannacrypt also has worm capability to spread itself through networks, can Comodo’s firewall capability(in safe mode) prevents wannacrypt from entering a PC?

The firewall will block both direct connections made by WannaDecryptor as well as attempted TOR connections by taskhsvc. In Safe Mode you will get alerts, with my settings they will be blocked silently.

Note that blocking port 80 outbound for unknowns will disable the current fix that has been found.

So if you are infected already this makes things a little complicated.

You will probably have defined your local network as a trusted zone - CIS does this on installation - depending on version via the network pop-up?

Hmm this is interesting:

“This chapter previously stated that we were in the process of verifying if phishing e-mails were also an infection vector for the WanaCry ransomware. Thus far Fox-IT has found no evidence that any phishing e-mails were related to this specific ransomware outbreak, and we have therefor removed the related indicators from this blog.”

Do all these orgs really have SMB ports open?

Good FAQ:
https://blog.fox-it.com/2017/05/13/faq-on-the-wanacry-ransomware-outbreak/

Some SMB ports:
Directly over TCP, port 445;[5]
Via the NetBIOS API, which in turn can run on several transports:[6]
On UDP ports 137, 138 & TCP ports 137, 139 (NetBIOS over TCP/IP);
On several legacy protocols such as NBF, IPX/SPX.

WannaCry?—?New Variants Detected!

https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

IMO the best way to stay safe is:

  1. Apply Windows updates as soon as they become available. Always.

  2. Install CIS, learn how to configure it so that you can be sure that it’s providing the protection you expect.

  3. Never ever click on any link in any email, no matter who it appears to be from. Always open your browser, visit the website involved and navigate to whatever you need to do from there.

  4. Never ever ignore TLS certificate warning messages. Check and double check that you are on the correct site and if you really must continue then start your browser in containment.

  5. This one will upset many…stop using social media. Period.

the standard proactive settings is good enough for this?

Yes, as I understand it they are. If you want to be double sure switch to proactive config.

that is what i meant. :slight_smile:

Apologies, just to clarify. Default settings should protect, proactive is belt and braces.

Is it necessary to keep Auto-Containment enabled? If it is disabled is it risky or not?

I have tried it. It doesn’t work. The installation fails. Incompatibility of version.

It will probably only work on the last XP service pack. Did you find the right file.

Alternatively and even more effective in some ways disable the SMB1 protocol. See my post above for a link. SMB1 is hardly used at all nowadays. Do not disable SMB2 or 3 as you may need them.