Symantec Embedded Security: Critical System Protection Stops WannaCry

Article Id: 169459
Status: Published
Updated On: 18-05-2017 02:46
Legacy Id: TECH246385
Products:
Embedded Security Critical System Protection
Issue/Introduction:

WannaCry situation update

On May 12, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving a variant of the ransomware named WannaCry (also known as WCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor, and so on). These attacks are targeting and impacting users from various countries across the globe. For more information about WannaCry, visit Symantec's WannaCry Outbreak page.

 

Resolution:

What’s the best way to protect my Windows systems against WannaCry?

You must immediately install the Windows security update MS17-010 on all vulnerable Windows systems. This update patches the SMB vulnerability that enables WannaCry to infect and propagate.

What if my Windows systems aren’t patched yet, or I’m unable to patch them?

For unpatched Windows systems, the Symantec Embedded Security: Critical System Protection (SES:CSP) 7.0.0, 6.5.0, and 1.0.0 Windows IPS policies detect and block WannaCry ransomware attacks. All three levels of SES:CSP Windows policy strategy—Basic, Hardening and Whitelisting—prevent the attack which installs the WannaCry malicious executables. 

How does SES:CSP protect my unpatched Windows systems?

SES:CSP Windows IPS policies prevent WannaCry malware from being dropped or executed on the windows system, and can also block inbound SMB traffic. Customers not taking advantage of full IPS protections can apply a targeted IPS policy to block the execution of the WannaCry malware.

Additional protection details 

If you have Windows systems which do not use the SMB or Windows Network File Sharing capabilities (especially, Windows systems which are connected to the internet), it strongly recommended to reduce the network attack surface by configuring prevention policy rules to block the SMB network traffic. This can be easily done by editing the Kernel and Global network rules as follows:

  1. From the Java Console, edit a Windows policy.
  2. Click Advanced > Sandboxes.
  3. Under Kernel Driver Options, click Edit.
  4. Under Network Controls, add the following inbound rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
  5. Under Network Controls, add the following outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445
  6. Navigate back to Home in the policy editor.
  7. Click Advanced > Global Policy Options.
  8. Under Network Controls, add the following inbound rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any, Program Path: *
  9. Under Network Controls, add the following outbound rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445, Program Path: *
  10. Save the policy.

For additional protection to what is delivered out-of-the-box, the execution of all known variants of the WannaCry ransomware can be blocked by putting the executable hashes in the Global No-run List.  To add a hash to the list:

  1. From the Java Console, edit a Windows policy.
  2. Click Advanced > Global Policy Options.
  3. Under Global Policy Lists, edit the List of processes that services should not start [global_svc_child_norun_list].
  4. Click the Add button to add a parameter list entry.
  5. In the Entry in parameter list dialog box:
    • Enter * for the Program Path.
    • For File Hash, click the button on the right hand side.
    • In the File Hash Editor dialog, click Add.
    • Enter either the MD5 or SHA256 hash of the file.
    • Click Ok on the File Hash Editor dialog box.
    • Click Ok on the Entry in parameter list dialog box.
  6. Add a parameter list entry for each hash value.
  7. Save the policy.