wanna cry ransomware patch for samba-4.5.5

L.P.H. van Belle belle at bazuin.nl
Mon May 15 10:12:06 UTC 2017 

Hai, 

Not really a question for samba technical, but i can share this.

No need for setting things on samba, that wont help a lot. 
Below is my setup and its just how you configure your pc's. 

This and almost all other "malware" is EASY to block, but it wil have impact on how your work. 
First, start with NEVER work/run as user with administrator rights. 
If one needs it, then not internet option. 

I did the following. 
On windows, disable wscript, vbs and powershell scripting. 
Or select a few, i did keep powershell for my conveniance. 

If you use MS Office, disable macro's and VBS scriptsing. 
( I even dont install macro and vbs support in ms office. ) 

Windows GPO settings.  ( software restrictions, extra rules ) 
These are my "crypto" settings, enforce these on your computers.
( there my be some dutch words these, questions, just ask ) 

%AppData%\*.exe 
Security Level Not allowed
Beschrijving Prevent programs from running in AppData 
Laatst gewijzigd op 1-7-2015 16:36:47 
 
%AppData%\*\*.exe 
Security Level Not allowed
Beschrijving Prevent virus payloads from executing in subfolders of AppData  
Laatst gewijzigd op 1-7-2015 16:37:07 
 
%AppData%\Microsoft\Windows\Templates\*.exe 
Security Level Not allowed
Beschrijving  
Laatst gewijzigd op 2-5-2017 14:01:58 
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% 
Beveiligingsniveau Unlimited 
Beschrijving  
Laatst gewijzigd op 1-7-2015 16:35:19 
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% 
Beveiligingsniveau Unlimited 
Beschrijving  
Laatst gewijzigd op 1-7-2015 16:35:19 
 
%LocalAppData%\Temp\*.exe 
Security Level Not allowed
Beschrijving  
Laatst gewijzigd op 2-5-2017 13:59:16 
 
%LocalAppData%\Temp\*.zip\*.exe 
Security Level Not allowed
Beschrijving Prevent unarchived executables in email attachments from running in the user space 
Laatst gewijzigd op 1-7-2015 16:39:21 
 
%LocalAppData%\Temp\7z*\*.exe 
Security Level Not allowed
Beschrijving Prevent un-7Ziped executables in email attachments from running in the user space  
Laatst gewijzigd op 1-7-2015 16:39:06 
 
%LocalAppData%\Temp\Rar*\*.exe 
Security Level Not allowed
Beschrijving Prevent un-WinRARed executables in email attachments from running in the user space  
Laatst gewijzigd op 1-7-2015 16:38:59 
 
%LocalAppData%\Temp\wz*\*.exe 
Security Level Not allowed
Beschrijving Prevent un-WinZIPed executables in email attachments from running in the user space 
Laatst gewijzigd op 1-7-2015 16:39:14 
 
C:\ProgramData\Adobe\ARM\S\*\AdobeARMHelper.exe 
Beveiligingsniveau Unlimited 
Beschrijving Uitzondering Adobe Update Helper 
Laatst gewijzigd op 26-10-2015 14:54:58 
 
C:\ProgramData\Adobe\Setup\* 
Beveiligingsniveau Unlimited 
Beschrijving Uitzondering Adobe cache setup locations :C:\ProgramData\Adobe\Setup\*\setup.exe 
Laatst gewijzigd op 26-10-2015 14:56:53 
 
C:\ProgramData\Citrix\Citrix Receiver\TrolleyExpress.exe 
Beveiligingsniveau Basisgebruiker 
Beschrijving Uitzondering Citrix : C:\ProgramData\Citrix\Citrix Receiver\TrolleyExpress.exe 
Laatst gewijzigd op 26-10-2015 14:54:00 
 
C:\ProgramData\Oracle\Java\javapath\*.exe 
Beveiligingsniveau Basisgebruiker 
Beschrijving Uitzondering Java exe 
Laatst gewijzigd op 26-10-2015 14:57:27 
 
C:\ProgramData\Package Cache\*\*.exe 
Beveiligingsniveau Unlimited 
Beschrijving Uitzondering C:\ProgramData\Package Cache\*\*.exe  
Laatst gewijzigd op 26-10-2015 14:52:58 
 

Acrobat reader.  This one very important. 
http://www.grouppolicy.biz/2012/10/how-to-configure-group-policy-for-adobe-reader-xi/ 
Get the adobe reader GPO settings, and install the in the network GPO folder. 
You must set ( see picture there ) Enable Acrobat JavaScript DISABLE    <<<<< VERY VERY IMPORTANT ONE. 
This is one of the most used leaks, through a pdf they get files from the internet. 

Enforce everything over proxy if you have one and monitor your outgoing traffice. 

Block the these kind of e-mails, really, i got 1 crypto attempt since Friday. 
All others are blocked. 

If you use postfix als mail relay. Read ; http://www.postfix.org/POSTSCREEN_README.html 
If you setup postscreen like this this stops about 95% of all problems. 
Add this part. 
https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre 
Again, questions ask.

### Before-220 tests (postscreen / DNSBL)
postscreen_greet_banner         = $myhostname, checking blacklists, please wait.
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list          =
    permit_mynetworks,
    cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
    pcre:/etc/postfix/pcre/fqrdns-max.pcre,
    pcre:/etc/postfix/pcre/fqrdns-plus.pcre,
    pcre:/etc/postfix/pcre/fqrdns.pcre
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_                                                                                                                               map.pcre
postscreen_blacklist_action     = drop
postscreen_dnsbl_action         = enforce
postscreen_greet_action         = enforce
postscreen_dnsbl_ttl            = 2h
postscreen_dnsbl_threshold      = 4
postscreen_dnsbl_sites =
        b.barracudacentral.org*4
        bad.psky.me*4
        zen.spamhaus.org*4
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        dnsbl.anonmails.de*2
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        dnsbl.sorbs.net*1
        spam.dnsbl.sorbs.net*2
        rbl.rbldns.ru*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*2
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-2.uceprotect.net
        hostkarma.junkemailfilter.com=127.0.0.3
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        # whitelists
        swl.spamhaus.org*-4
        list.dnswl.org=127.0.[0..255].[2;3]*-1
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-1


And next to this all use a antivirus on the pc, i use trend micro in my office. 
Set heuristic scanning high and enable behaviour monitoring. 

For all above offcource, use at own risk. 
( ps, i excluded my proxy setup, if you want info about that also, let me know. ) 
But that a bit more complex to explain to setup.



Good luck, 

Louis



 

> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens 
> Jawath Muckdhar via samba-technical
> Verzonden: maandag 15 mei 2017 11:18
> Aan: samba-technical at lists.samba.org
> Onderwerp: wanna cry ransomware patch for samba-4.5.5
> 
> Hi Team,
> 
> We are using samba-4.5.5. for file sharing in Mips Linux Platform.
> Is there any fix available for "wanna cry" ransomware ?
> 
> If available, can you please share git clone path.
> 
> Thanks & Regards,
> Jawath Muckdhar
> 
> 
> 
> 
> -- 
> 
> be inspired ! be happy! be urself!
> 
> ~ jawath ~
> 
>

More information about the samba-technical mailing list