wanna cry ransomware patch for samba-4.5.5
Scott Lovenberg
scott.lovenberg at gmail.com
Thu May 18 01:07:09 UTC 2017
On Wed, May 17, 2017 at 3:28 PM, Jeremy Allison via samba-technical
<samba-technical at lists.samba.org> wrote:
> On Wed, May 17, 2017 at 12:01:27PM -0700, Yogesh Kulkarni wrote:
>> Thanks Jeremy.
>>
>> I think that it is possible that an infected SAMBA client ( a windows machine )
>> might be able to encrypt the files on the server and
>> affect the files.
>> Is there any way to prevent this from happening ?
>
> I can't see any way to prevent this. An infected
> Windows client is just doing normal file operations
> (open/read/write/close) to the Samba server. There's
> no way for the server to know these operations are
> malicious and indended to encrypt the file data without
> the user's consent.
>
While Jeremy is of course exactly correct, if I guess if one were so
inclined and technically able, they could put a security layer on top
of the Samba file server engine by creating a VFS module that somehow
(hand-waving here, I'm assuming there is an access pattern or
something that can be used to fingerprint the various strains of the
malware that exist in the wild) identifies the malware's access
attempt and prohibits writing to (encrypting of) the share. No one is
going to go to the trouble unless their employer wants to scratch this
itch, but it's probably doable. I think it's no longer maintained,
but as a proof of concept there was a ClamAV file scanner VFS module
that allowed for real time virus scanning of files as they were
accessed. I'm just throwing this out there on the off chance that
someone needs to scratch this itch.
--
Peace and Blessings,
-Scott.
More information about the samba-technical
mailing list