There is still a lot of confusion regarding coverage for the WannaCry exploit running wild since Friday May 12.
I wanted to remind McAfee legacy (VirusScan Enterprise) customers that you are currently protected for all "Known" variants, provided you have current DAT content.
Since you are still running a legacy endpoint product (as apposed to next generation ENS 10.5), you need to ensure additional configurations are in place to protect your systems against any 'unknown' variants, should they arise in the wild.
VSE customers should refer to KB89335 and configure VSE as follows:
- Content updates - Latest content updates always applied. Reduce your repository pulls to minimal intervals i.e.) 15 min. *Configure your client update tasks as a global update, so they run whenever updated DAT content for VSE is pulled from McAfee. That way, your legacy VSE product will always have the latest DAT content applied.
- Create the 2 recommended VSE Access Protection (AP) rules – to block the actual encryption routine.
***With above set, systems will be protected against all known variant exploits.
NOW THEN, for those of you fortunate enough to be running our latest endpoint technology; McAfee Endpoint Security 10.5, with Adaptive Threat Protection (ATP), you have the best 0-day protection available for any yet "Unknown" variants, should they arise in the wild.
ENS customers should refer to KB89335 and configure ENS as follows:
- Content updates - Latest content updates always applied. Reduce your repository pulls to minimal intervals i.e.) 15 min. Configure your client update task globally so they run whenever updated content for ENS is pulled.
- Create the 2 recommended ENS Threat Prevention, Access Protection (AP) rules – to block the actual encryption routine.
- Configure ENS Adaptive Threat Protection (ATP) as recommended –
- Rule Assignment=’Security’
- DAC should have recommended rules set to block per KB87843.
***With above set, systems will be protected against all known, AND unknown variants.
*KB89335 also now includes info for HIP custom sigs, and content is expected.
***IMPORTANT GENERAL RECOMMENDATION***
Customers SHOULD apply the MS17-010 security update ASAP. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Workaround - in lieu of above MS patch- customer can disable SMB1 via registry on all their workstations using GPO, or startup/logon scripts etc. https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1 ,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-ser ver-2008-r2,-windows-8,-and-windows-server-2012
Deconstruction of the WannaCry Exploit here:
McAfee Labs Threat Advisory