[Samba] wanna cry ransomware patch for samba-4.5.5
L.P.H. van Belle
belle at bazuin.nl
Mon May 15 10:12:06 UTC 2017
Hai,
Not really a question for samba technical, but i can share this.
No need for setting things on samba, that wont help a lot.
Below is my setup and its just how you configure your pc's.
This and almost all other "malware" is EASY to block, but it wil have impact on how your work.
First, start with NEVER work/run as user with administrator rights.
If one needs it, then not internet option.
I did the following.
On windows, disable wscript, vbs and powershell scripting.
Or select a few, i did keep powershell for my conveniance.
If you use MS Office, disable macro's and VBS scriptsing.
( I even dont install macro and vbs support in ms office. )
Windows GPO settings. ( software restrictions, extra rules )
These are my "crypto" settings, enforce these on your computers.
( there my be some dutch words these, questions, just ask )
%AppData%\*.exe
Security Level Not allowed
Beschrijving Prevent programs from running in AppData
Laatst gewijzigd op 1-7-2015 16:36:47
%AppData%\*\*.exe
Security Level Not allowed
Beschrijving Prevent virus payloads from executing in subfolders of AppData
Laatst gewijzigd op 1-7-2015 16:37:07
%AppData%\Microsoft\Windows\Templates\*.exe
Security Level Not allowed
Beschrijving
Laatst gewijzigd op 2-5-2017 14:01:58
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Beveiligingsniveau Unlimited
Beschrijving
Laatst gewijzigd op 1-7-2015 16:35:19
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Beveiligingsniveau Unlimited
Beschrijving
Laatst gewijzigd op 1-7-2015 16:35:19
%LocalAppData%\Temp\*.exe
Security Level Not allowed
Beschrijving
Laatst gewijzigd op 2-5-2017 13:59:16
%LocalAppData%\Temp\*.zip\*.exe
Security Level Not allowed
Beschrijving Prevent unarchived executables in email attachments from running in the user space
Laatst gewijzigd op 1-7-2015 16:39:21
%LocalAppData%\Temp\7z*\*.exe
Security Level Not allowed
Beschrijving Prevent un-7Ziped executables in email attachments from running in the user space
Laatst gewijzigd op 1-7-2015 16:39:06
%LocalAppData%\Temp\Rar*\*.exe
Security Level Not allowed
Beschrijving Prevent un-WinRARed executables in email attachments from running in the user space
Laatst gewijzigd op 1-7-2015 16:38:59
%LocalAppData%\Temp\wz*\*.exe
Security Level Not allowed
Beschrijving Prevent un-WinZIPed executables in email attachments from running in the user space
Laatst gewijzigd op 1-7-2015 16:39:14
C:\ProgramData\Adobe\ARM\S\*\AdobeARMHelper.exe
Beveiligingsniveau Unlimited
Beschrijving Uitzondering Adobe Update Helper
Laatst gewijzigd op 26-10-2015 14:54:58
C:\ProgramData\Adobe\Setup\*
Beveiligingsniveau Unlimited
Beschrijving Uitzondering Adobe cache setup locations :C:\ProgramData\Adobe\Setup\*\setup.exe
Laatst gewijzigd op 26-10-2015 14:56:53
C:\ProgramData\Citrix\Citrix Receiver\TrolleyExpress.exe
Beveiligingsniveau Basisgebruiker
Beschrijving Uitzondering Citrix : C:\ProgramData\Citrix\Citrix Receiver\TrolleyExpress.exe
Laatst gewijzigd op 26-10-2015 14:54:00
C:\ProgramData\Oracle\Java\javapath\*.exe
Beveiligingsniveau Basisgebruiker
Beschrijving Uitzondering Java exe
Laatst gewijzigd op 26-10-2015 14:57:27
C:\ProgramData\Package Cache\*\*.exe
Beveiligingsniveau Unlimited
Beschrijving Uitzondering C:\ProgramData\Package Cache\*\*.exe
Laatst gewijzigd op 26-10-2015 14:52:58
Acrobat reader. This one very important.
http://www.grouppolicy.biz/2012/10/how-to-configure-group-policy-for-adobe-reader-xi/
Get the adobe reader GPO settings, and install the in the network GPO folder.
You must set ( see picture there ) Enable Acrobat JavaScript DISABLE <<<<< VERY VERY IMPORTANT ONE.
This is one of the most used leaks, through a pdf they get files from the internet.
Enforce everything over proxy if you have one and monitor your outgoing traffice.
Block the these kind of e-mails, really, i got 1 crypto attempt since Friday.
All others are blocked.
If you use postfix als mail relay. Read ; http://www.postfix.org/POSTSCREEN_README.html
If you setup postscreen like this this stops about 95% of all problems.
Add this part.
https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre
Again, questions ask.
### Before-220 tests (postscreen / DNSBL)
postscreen_greet_banner = $myhostname, checking blacklists, please wait.
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
pcre:/etc/postfix/pcre/fqrdns-max.pcre,
pcre:/etc/postfix/pcre/fqrdns-plus.pcre,
pcre:/etc/postfix/pcre/fqrdns.pcre
postscreen_dnsbl_reply_map = pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_ map.pcre
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_ttl = 2h
postscreen_dnsbl_threshold = 4
postscreen_dnsbl_sites =
b.barracudacentral.org*4
bad.psky.me*4
zen.spamhaus.org*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
dnsbl.anonmails.de*2
dnsbl.kempt.net*1
dnsbl.inps.de*2
bl.spamcop.net*2
dnsbl.sorbs.net*1
spam.dnsbl.sorbs.net*2
rbl.rbldns.ru*2
psbl.surriel.com*2
bl.mailspike.net*2
rep.mailspike.net=127.0.0.[13;14]*1
bl.suomispam.net*2
bl.blocklist.de*2
ix.dnsbl.manitu.net*2
dnsbl-2.uceprotect.net
hostkarma.junkemailfilter.com=127.0.0.3
hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
# whitelists
swl.spamhaus.org*-4
list.dnswl.org=127.0.[0..255].[2;3]*-1
rep.mailspike.net=127.0.0.[17;18]*-1
rep.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-1
And next to this all use a antivirus on the pc, i use trend micro in my office.
Set heuristic scanning high and enable behaviour monitoring.
For all above offcource, use at own risk.
( ps, i excluded my proxy setup, if you want info about that also, let me know. )
But that a bit more complex to explain to setup.
Good luck,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces at lists.samba.org] Namens
> Jawath Muckdhar via samba-technical
> Verzonden: maandag 15 mei 2017 11:18
> Aan: samba-technical at lists.samba.org
> Onderwerp: wanna cry ransomware patch for samba-4.5.5
>
> Hi Team,
>
> We are using samba-4.5.5. for file sharing in Mips Linux Platform.
> Is there any fix available for "wanna cry" ransomware ?
>
> If available, can you please share git clone path.
>
> Thanks & Regards,
> Jawath Muckdhar
>
>
>
>
> --
>
> be inspired ! be happy! be urself!
>
> ~ jawath ~
>
>
More information about the samba
mailing list