[Samba] wanna cry ransomware patch for samba-4.5.5

Andrew Walker walker.aj325 at gmail.com
Mon Jul 3 12:27:55 UTC 2017

On Mon, May 15, 2017 at 5:12 AM, L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:

> Hai,
> No need for setting things on samba, that wont help a lot.
> Below is my setup and its just how you configure your pc's.
> This and almost all other "malware" is EASY to block, but it wil have
> impact on how your work.
> First, start with NEVER work/run as user with administrator rights.
> If one needs it, then not internet option.
> I did the following.
> On windows, disable wscript, vbs and powershell scripting.
> Or select a few, i did keep powershell for my conveniance.
> If you use MS Office, disable macro's and VBS scriptsing.
> ( I even dont install macro and vbs support in ms office. )
> Windows GPO settings.  ( software restrictions, extra rules )
> These are my "crypto" settings, enforce these on your computers.
> ( there my be some dutch words these, questions, just ask )

Great advice! I personally take a white-listing approach as specified here:
(note the IAD site throws a cert error unless you have their root cert
installed on your system), and also selectively whitelist the hash of
certain dlls / exes that need to run from %LocalAppData%, etc. This tends
to break more things than your approach.

> Acrobat reader.  This one very important.
> http://www.grouppolicy.biz/2012/10/how-to-configure-
> group-policy-for-adobe-reader-xi/
> Get the adobe reader GPO settings, and install the in the network GPO
> folder.
> You must set ( see picture there ) Enable Acrobat JavaScript DISABLE
> This is one of the most used leaks, through a pdf they get files from the
> internet.

The NSA has some useful guidelines regarding secure acrobat configuration
here: https://cryptome.org/2013/08/nsa-adobe-reader-XI.pdf I can't remember
if all the options are available in Adobe's admx templates, but the
overview of what the options mean is helpful (as well as whether they view
it as optional or recommended). I'm also aware of the irony of looking at
an NSA pdf about securing adobe acrobat. ;-)

I personally run samba on ZFS on FreeBSD servers. Snapshots on ZFS are very
low-cost and provide a fairly quick way to recover encrypted files.

More information about the samba mailing list