CB LiveQuery: Query To Detect Which Systems Have The Workaround For CVE-2020-0786
search cancel

CB LiveQuery: Query To Detect Which Systems Have The Workaround For CVE-2020-0786

book

Article ID: 288594

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Is there a LiveQuery to detect whether or not the workaround described by MS for CVE-2020-0786 has been applied?

Environment

  • CB PSC Console: All versions
  • CB LiveOps Sensor: All versions
  • Microsoft Windows: All supported versions

Resolution

For LiveQuery enabled customer you can use this SQL query:
SELECT CASE cnt WHEN 1 THEN "Compression Disabled" ELSE "Enabled or Not Configured" END "SMBv3 Compression Status" FROM (SELECT count(name) AS cnt FROM registry WHERE PATH='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\DisableCompression' AND DATA = 1);

Additional Information

  • Microsoft has released a workaround for CVE-2020-0786 which requires adding a DisableCompression dword registry modification to Windows 10+ operating systems. The LiveQuery listed above, will show whether or not compression has been disabled, enabled / not configured.
  • Please note Microsoft has specified this as a workaround, it is assumed a patch will be coming.
  • A Threat Research report with further details is pending and will be posted in the UeX