Re: wanna cry ransomware patch for samba-4.5.5

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: wanna cry ransomware patch for samba-4.5.5

Samba - General mailing list
Hai,

Not really a question for samba technical, but i can share this.

No need for setting things on samba, that wont help a lot.
Below is my setup and its just how you configure your pc's.

This and almost all other "malware" is EASY to block, but it wil have impact on how your work.
First, start with NEVER work/run as user with administrator rights.
If one needs it, then not internet option.

I did the following.
On windows, disable wscript, vbs and powershell scripting.
Or select a few, i did keep powershell for my conveniance.

If you use MS Office, disable macro's and VBS scriptsing.
( I even dont install macro and vbs support in ms office. )

Windows GPO settings.  ( software restrictions, extra rules )
These are my "crypto" settings, enforce these on your computers.
( there my be some dutch words these, questions, just ask )

%AppData%\*.exe
Security Level Not allowed
Beschrijving Prevent programs from running in AppData
Laatst gewijzigd op 1-7-2015 16:36:47
 
%AppData%\*\*.exe
Security Level Not allowed
Beschrijving Prevent virus payloads from executing in subfolders of AppData  
Laatst gewijzigd op 1-7-2015 16:37:07
 
%AppData%\Microsoft\Windows\Templates\*.exe
Security Level Not allowed
Beschrijving  
Laatst gewijzigd op 2-5-2017 14:01:58
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Beveiligingsniveau Unlimited
Beschrijving  
Laatst gewijzigd op 1-7-2015 16:35:19
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Beveiligingsniveau Unlimited
Beschrijving  
Laatst gewijzigd op 1-7-2015 16:35:19
 
%LocalAppData%\Temp\*.exe
Security Level Not allowed
Beschrijving  
Laatst gewijzigd op 2-5-2017 13:59:16
 
%LocalAppData%\Temp\*.zip\*.exe
Security Level Not allowed
Beschrijving Prevent unarchived executables in email attachments from running in the user space
Laatst gewijzigd op 1-7-2015 16:39:21
 
%LocalAppData%\Temp\7z*\*.exe
Security Level Not allowed
Beschrijving Prevent un-7Ziped executables in email attachments from running in the user space  
Laatst gewijzigd op 1-7-2015 16:39:06
 
%LocalAppData%\Temp\Rar*\*.exe
Security Level Not allowed
Beschrijving Prevent un-WinRARed executables in email attachments from running in the user space  
Laatst gewijzigd op 1-7-2015 16:38:59
 
%LocalAppData%\Temp\wz*\*.exe
Security Level Not allowed
Beschrijving Prevent un-WinZIPed executables in email attachments from running in the user space
Laatst gewijzigd op 1-7-2015 16:39:14
 
C:\ProgramData\Adobe\ARM\S\*\AdobeARMHelper.exe
Beveiligingsniveau Unlimited
Beschrijving Uitzondering Adobe Update Helper
Laatst gewijzigd op 26-10-2015 14:54:58
 
C:\ProgramData\Adobe\Setup\*
Beveiligingsniveau Unlimited
Beschrijving Uitzondering Adobe cache setup locations :C:\ProgramData\Adobe\Setup\*\setup.exe
Laatst gewijzigd op 26-10-2015 14:56:53
 
C:\ProgramData\Citrix\Citrix Receiver\TrolleyExpress.exe
Beveiligingsniveau Basisgebruiker
Beschrijving Uitzondering Citrix : C:\ProgramData\Citrix\Citrix Receiver\TrolleyExpress.exe
Laatst gewijzigd op 26-10-2015 14:54:00
 
C:\ProgramData\Oracle\Java\javapath\*.exe
Beveiligingsniveau Basisgebruiker
Beschrijving Uitzondering Java exe
Laatst gewijzigd op 26-10-2015 14:57:27
 
C:\ProgramData\Package Cache\*\*.exe
Beveiligingsniveau Unlimited
Beschrijving Uitzondering C:\ProgramData\Package Cache\*\*.exe  
Laatst gewijzigd op 26-10-2015 14:52:58
 

Acrobat reader.  This one very important.
http://www.grouppolicy.biz/2012/10/how-to-configure-group-policy-for-adobe-reader-xi/ 
Get the adobe reader GPO settings, and install the in the network GPO folder.
You must set ( see picture there ) Enable Acrobat JavaScript DISABLE    <<<<< VERY VERY IMPORTANT ONE.
This is one of the most used leaks, through a pdf they get files from the internet.

Enforce everything over proxy if you have one and monitor your outgoing traffice.

Block the these kind of e-mails, really, i got 1 crypto attempt since Friday.
All others are blocked.

If you use postfix als mail relay. Read ; http://www.postfix.org/POSTSCREEN_README.html 
If you setup postscreen like this this stops about 95% of all problems.
Add this part.
https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre 
Again, questions ask.

### Before-220 tests (postscreen / DNSBL)
postscreen_greet_banner         = $myhostname, checking blacklists, please wait.
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list          =
    permit_mynetworks,
    cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
    pcre:/etc/postfix/pcre/fqrdns-max.pcre,
    pcre:/etc/postfix/pcre/fqrdns-plus.pcre,
    pcre:/etc/postfix/pcre/fqrdns.pcre
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_                                                                                                                               map.pcre
postscreen_blacklist_action     = drop
postscreen_dnsbl_action         = enforce
postscreen_greet_action         = enforce
postscreen_dnsbl_ttl            = 2h
postscreen_dnsbl_threshold      = 4
postscreen_dnsbl_sites =
        b.barracudacentral.org*4
        bad.psky.me*4
        zen.spamhaus.org*4
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        dnsbl.anonmails.de*2
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        dnsbl.sorbs.net*1
        spam.dnsbl.sorbs.net*2
        rbl.rbldns.ru*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*2
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-2.uceprotect.net
        hostkarma.junkemailfilter.com=127.0.0.3
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        # whitelists
        swl.spamhaus.org*-4
        list.dnswl.org=127.0.[0..255].[2;3]*-1
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-1


And next to this all use a antivirus on the pc, i use trend micro in my office.
Set heuristic scanning high and enable behaviour monitoring.

For all above offcource, use at own risk.
( ps, i excluded my proxy setup, if you want info about that also, let me know. )
But that a bit more complex to explain to setup.



Good luck,

Louis



 

> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:[hidden email]] Namens
> Jawath Muckdhar via samba-technical
> Verzonden: maandag 15 mei 2017 11:18
> Aan: [hidden email]
> Onderwerp: wanna cry ransomware patch for samba-4.5.5
>
> Hi Team,
>
> We are using samba-4.5.5. for file sharing in Mips Linux Platform.
> Is there any fix available for "wanna cry" ransomware ?
>
> If available, can you please share git clone path.
>
> Thanks & Regards,
> Jawath Muckdhar
>
>
>
>
> --
>
> be inspired ! be happy! be urself!
>
> ~ jawath ~
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: wanna cry ransomware patch for samba-4.5.5

Samba - General mailing list
On Mon, May 15, 2017 at 5:12 AM, L.P.H. van Belle via samba <
[hidden email]> wrote:

> Hai,
>
> No need for setting things on samba, that wont help a lot.
> Below is my setup and its just how you configure your pc's.
>
> This and almost all other "malware" is EASY to block, but it wil have
> impact on how your work.
> First, start with NEVER work/run as user with administrator rights.
> If one needs it, then not internet option.
>
> I did the following.
> On windows, disable wscript, vbs and powershell scripting.
> Or select a few, i did keep powershell for my conveniance.
>
> If you use MS Office, disable macro's and VBS scriptsing.
> ( I even dont install macro and vbs support in ms office. )
>
> Windows GPO settings.  ( software restrictions, extra rules )
> These are my "crypto" settings, enforce these on your computers.
> ( there my be some dutch words these, questions, just ask )
>

Great advice! I personally take a white-listing approach as specified here:
https://www.iad.gov/iad/library/reports/application-whitelisting-using-srp.cfm
(note the IAD site throws a cert error unless you have their root cert
installed on your system), and also selectively whitelist the hash of
certain dlls / exes that need to run from %LocalAppData%, etc. This tends
to break more things than your approach.


> Acrobat reader.  This one very important.
> http://www.grouppolicy.biz/2012/10/how-to-configure-
> group-policy-for-adobe-reader-xi/
> Get the adobe reader GPO settings, and install the in the network GPO
> folder.
> You must set ( see picture there ) Enable Acrobat JavaScript DISABLE
> <<<<< VERY VERY IMPORTANT ONE.
> This is one of the most used leaks, through a pdf they get files from the
> internet.


The NSA has some useful guidelines regarding secure acrobat configuration
here: https://cryptome.org/2013/08/nsa-adobe-reader-XI.pdf I can't remember
if all the options are available in Adobe's admx templates, but the
overview of what the options mean is helpful (as well as whether they view
it as optional or recommended). I'm also aware of the irony of looking at
an NSA pdf about securing adobe acrobat. ;-)

I personally run samba on ZFS on FreeBSD servers. Snapshots on ZFS are very
low-cost and provide a fairly quick way to recover encrypted files.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba