Critical System Protection

 View Only
Back to Library

Data Center Security Server Advanced Stops WannaCry 

May 17, 2017 09:32 AM

WannaCry Situation Update

On May 12, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving a variant of the ransomware named WannaCry (aka WCry). These attacks are targeting and have affected users from various countries across the globe.

Am I protected from the WannaCry ransomware?

Symantec Data Center Security: Server Advanced IPS provide protection against WannaCry Ransomware.  All three levels of Symantec DCS:SA policies Windows 6.0  Basic, Hardening and Whitelisting and all 5.2.9 policies (Limited Execution, Strict, and Core) prevent the ransomware attack from dropping the malicious executables onto the system.  

For more information about WannaCry, go to Symantec's WannaCry Outbreak page.

 

What protections does Symantec provide for our endpoint customers?

There are two basic ways that customers can be protected against this threat:

1. Customers who have installed the Windows security update MS17-010 are not vulnerable to this threat.

2. DCS:SA provides a range of protection against this threat on computers that do not have the patch installed:

  • IPS policies prevent the malware from being dropped or execututed on the system.
  • Ability to block inbound SMB traffic
  • If not using full IPS ability to apply a targeted IPS policy to block execution of the WannaCry malware

 

Additional Protection Details

For customer systems that are not using SMB or Windows Network File Sharing capabilities, and especially for externally facing servers, it is best practice to reduce the network attack surface by configuring  prevention policy rules to block SMB network traffic. This can be easily done by editing the Kernel and Global network rules

 

  • From the Java Console, edit a Windows 6.0 Policy
  • Click Advanced -> Sandboxes
  • Under Kernel Driver Options, click Edit
  • Under Network Controls
  • Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
  • Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445
  • Navigate back to Home in the Policy Editor
  • Click Advanced -> Global Policy Options
  • Under Network Controls
  • Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any, Program Path: *
  • Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445, Program Path: *
  • Save the Policy

 

 

For additional protection to what is delivered out of the box, the execution of all known variants of the WannaCry ransomware can be blocked by putting the executable hashes in the Global No-run List.  To add a hash to the list:

 

  • From the Java Console, edit a Windows 6.0 Basic or Hardened Policy
  • Click Advanced -> Global Policy Options
  • Under Global Policy Lists, Edit the “List of processes that services should not start [global_svc_child_norun_list]”
  • Click the Add button to add a parameter list entry
  • In the “Entry in parameter list” dialog
    • Enter ‘*’ for the Program Path
    • For File Hash, click the “…” button on the right hand side
    • In the File Hash Editor dialog, click Add
      • Enter either the MD5 or SHA256 hash of the file
      • Click Ok on the File Hash Editor dialog window
    • Click Ok on the Entry in parameter list window
  • Add a parameter list entry for each hash value
  • Save the policy

 

What if I am using Symantec Embedded Security: Critical System Protection?

SES:CSP provides protection from WannaCry - see: https://support.symantec.com/en_US/article.TECH246385.html for details.

 

For additional information from Symantec regarding the WannaCry virus, visit our dedicated WannaCry Ransomware page.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.