cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 2

ENS coverage for CVE 2021-1675 PrintNightmare coverage

Hi All,

McAfee is aware of CVE-2021-1675, otherwise known as “PrintNightmare.”  Our immediate recommendation is to disable the print spooler service on all servers in your environment. We are investigating product countermeasures, and recommend subscribing to KB94659 - McAfee coverage for June 2021 CVE-2021-1675 PrintNightmare vulnerability for updates.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
1 Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: ENS coverage for CVE 2021-1675 PrintNightmare coverage

The work around as described in KB94659:

In response to the identified vulnerability, McAfee has generated an Endpoint Security (ENS) Expert Rule that can prevent exploitation and allow monitoring of this vulnerability. This rule detects when files are written from the spool service into the directory that known exploits are using to drop files on victim systems.

ENS Expert Rule:

NOTE: Before you implement the recommendation below, you must test the rule thoroughly. Thorough testing ensures rule integrity. It also makes sure that no legitimate application, in-house developed, or otherwise, is deemed malicious and prevented from functioning in your production environment. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for the target behavior without blocking. After you determine the rule does not block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems.


Rule {

Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"
}
}
}



To disable PrintSpooler through Group Policy Objects (Recommended for servers, except dedicated print servers):

NOTE: Disabling the print spooler service disables the ability to print both locally and remotely.

  1. Modify your Global Policy Object (GPO) or create a GPO to manage this setting.
  2. When you edit the GPO, go to Computer ConfigurationPoliciesWindows SettingsSystem Services, Print Spooler.
  3. Right-click the Print Spooler System Service option, and select Properties.
  4. Set the System Service to Disabled.

To block only the remote attack vector, administrators can disable inbound remote printing through Group Policy Objects (Recommended for workstations):

  1. Modify your Global Policy Object (GPO) or create a GPO to manage this setting.
  2. When you edit the GPO, go to Computer Configuration, Administrative Templates, Printers.
  3. Right-click the Allow Print Spooler to accept client connections policy option, and select Edit.
  4. Set the policy to Disabled.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community