Audit and Remediation: How does the EternalBlue Hardening query determine if SMB is checked via registry or feature?

search cancel

Audit and Remediation: How does the EternalBlue Hardening query determine if SMB is checked via registry or feature?

book

Article ID: 289662

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

How does Live Query determine which method, registry or feature setting, to check if SMB1 is enabled?

Environment

Carbon Black Cloud: All Versions
- Audit and Remediation

Resolution

This is determined by the OS value.
- Windows 8 and above will check the feature setting
- Windows 7 and below will check the registry value
This is present in the bottom of the query

SELECT CASE
WHEN
(
(os.major == 10)
OR (os.major == 6 AND os.minor == 3)
)
THEN 'FEATURE'

WHEN
((os.major == 6))
AND (os.minor == 3)
THEN 'FEATURE'

WHEN
(
(os.major == 6)
AND (os.minor == 0 OR os.minor == 1)
)
THEN 'REGISTRY'

ELSE 'UNDETERMINED'
END "fetch_method"
FROM os_version AS os
WHERE os.platform = 'windows'

Feedback

thumb_up Yes

thumb_down No