Advanced variant of Petya update
On June 27, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving an advanced variant of the ransomware named Petya. These attacks are targeting and have affected users in various countries across the globe. For more information, visit Symantec’s Petya ransomware outbreak page. 

Windows-based systems

Does SES: CSP protect against the Petya dropper?
The out-of-the-box capability of the Symantec Embedded Security: Critical System Protection (SES: CSP) Windows prevention policies to restrict software installation and executable modification protects your Windows-based systems from the Petya dropper that installs the boot loader. All three levels of the SES: CSP Windows prevention policy strategy—Basic, Hardening, and Whitelisting—prevent the Windows-based systems from the Petya dropper attack.
 

How does the advanced variant of Petya propagate from one system to another?
Even if the initial Petya dropper may not have been directed towards a protected system, the infection can still spread from one system to another. If two systems are on the same network domain, the primary mechanisms through which the Petya encrypting ransomware may laterally spread from a compromised system A (a system on which protection has not been set up against Petya) to a protected system B (a system on which SES: CSP has been installed) are as follows:

• Eternal Blue exploit 
• Privilege escalation with PSExec 
• Privilege escalation with WMI
   

Does SES: CSP protect against the propagation of the advanced variant of Petya through privilege escalation with PSExec and WMI?
By default, the out-of-the-box SES: CSP Windows prevention policies protect against the propagation of the advanced variant of Petya through privilege escalation with PSExec and WMI on Windows-systems.
 

Does SES: CSP protect against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
Based on the Windows’ architecture (32-bit or 64-bit), SES: CSP protects your systems from propagating the advanced variant of Petya through the Eternal Blue exploit as follows:

• 32-bit Windows-based system: By default, SES: CSP protects against the propagation of the advanced variant of Petya through the Eternal Blue exploit.
• 64-bit Windows-based system which is not patched with MS17-010: Unpatched 64-bit Windows-based systems are vulnerable to the propagation of the advanced variant of Petya through the Eternal Blue exploit. If a system is not patched with MS17-010, you must make certain changes in the applied Windows prevention policy. For more information, see the following sections in this article:
  • What changes are required in a SES: CSP (version 7.1) Windows prevention policy to protect an unpatched 64-bit Windows-based system against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
     
  • What changes are required in a SES: CSP (versions earlier than 7.1) Windows prevention policy to protect an unpatched 64-bit Windows-based system against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
     

​​What changes are required in a SES: CSP (version 7.1) Windows prevention policy to protect an unpatched 64-bit Windows-based system against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
Perform the following actions in the applied Windows prevention policy (for Basic, Hardening, and Whitelisting Windows prevention policy strategies):

1. Edit the Windows prevention policy by navigating to Global policy options > General Settings > Global Policy Lists.
2. From List of processes that services should not start [gloval_svc_child_norun_list], export the entire list of rules.
   
3. Navigate to Sandboxes > OS Sandbox Options > Local Security Authority Subsystem Service > General Settings > Sandbox Execution Options.
4. Expand Programs the Local Security Authority Subsystem Service may not run, and import the entire list of rules that you have exported from List of processes that services should not start [gloval_svc_child_norun_list]. 
   Ensure that you use the Replace option while importing the rules.
   
5. For the newly imported rules, edit the rundll32.exe option and remove the Q01 option.
   This ensures that rundll32.exe is not allowed to run as a service, and as an interactive program when executed from the Local Security Authority Subsystem Service sandbox.
6. Save the policy changes and apply.

The above changes in the Windows prevention policy for SES: CSP version 7.1 ensures that your Windows-based systems are protected against the advanced variant of Petya that leverage rundll32.exe to execute the malicious DLL after the eternal blue exploit is triggered.
 

What changes are required in a SES: CSP (versions earlier than 7.1) Windows prevention policy to protect an unpatched 64-bit Windows-based system against the propagation of the advanced variant of Petya through the Eternal Blue exploit?

Perform the following actions in the Windows prevention policy (for Basic, Hardening, and Whitelisting Windows prevention policy strategies):

1. Edit the Windows prevention policy by navigating to Sandboxes > OS Sandbox Options > Local Security Authority Subsystem Service > General Settings > Sandbox Execution Options.
2. Expand Programs the Local Security Authority Subsystem Service may not run, and add a new rule—%systemroot%\system32\rundll32.exe.
   
   This ensures that rundll32.exe is not allowed to run as a service, and as an interactive program when executed from the Local Security Authority Subsystem Service sandbox.