# Best way to protect against WannaCry



## CAPSLOCKSTUCK (May 17, 2017)

i am using IObit Malware Fighter and Defender  .......what else should i do?


----------



## INSTG8R (May 17, 2017)

Turn off SMB in Windows Features. Just turned mine off


----------



## Countryside (May 17, 2017)

Make sure that you have a backup and and keep your defender and fighter up-to-date. 
According to Microsoft if you are using Win10 and it has the latest updates you should be protected.

I heard that they even released a patch for windows xp.


----------



## R-T-B (May 17, 2017)

CAPSLOCKSTUCK said:


> i am using IObit Malware Fighter and Defender  .......what else should i do?



Apply the patch?


----------



## Octopuss (May 17, 2017)

I would say not being an idiot is almost 100% protection against this crap. Don't click on any stupid links from fishy emails.


----------



## R-T-B (May 17, 2017)

Octopuss said:


> I would say not being an idiot is almost 100% protection against this crap. Don't click on any stupid links from fishy emails.



It's an SMB port worm vulnerability.  You don't have to.  That's part of the reason it spread so bad.

At the rate of misinformation in this thread, aparently my decision to skip this for a news article was a poor one.


----------



## Octopuss (May 17, 2017)

I thought people always get infected with this stuff purely because they clicked on fishy links.
Are you saying one can theoretically get infected with this by just having his PC turned on?


----------



## burebista (May 17, 2017)

Octopuss said:


> Are you saying one can theoretically get infected with this by just having his PC turned on?


Yep, if you're unpatched and have ports UDP 137/138 and/or TCP 139/445 open to Internet.


----------



## CAPSLOCKSTUCK (May 17, 2017)

R-T-B said:


> At the rate of misinformation in this thread, aparently my decision to skip this for a news article was a poor one.




Please do the news article........i want a definitive guide, from someone i trust, so i can pass it on to my friends and relatives.


----------



## R-T-B (May 17, 2017)

Octopuss said:


> I thought people always get infected with this stuff purely because they clicked on fishy links.
> Are you saying one can theoretically get infected with this by just having his PC turned on?



Yes, if the smb port is exposed anyways.  In a default windows setup it is.



CAPSLOCKSTUCK said:


> Please do the news article........i want a definitive guide, from someone i trust, so i can pass it on to my friends and relatives.



Wish I'd done it sooner if we were going for "news", but probably will do a forum post if nothing else tomorrow.  In the meantime your best defence is honestly to run Windows Update until it drops.


----------



## Caring1 (May 17, 2017)

I read up about the patch online at Microsoft and was under the impression it was for Server versions only.
And acronyms wear a bit thin and lose their meaning when multiple industries use the same one for differing meanings, case in point, to me an SMB has always meant a Small to Medium Business.


----------



## R-T-B (May 17, 2017)

Caring1 said:


> I read up about the patch online at Microsoft and was under the impression it was for Server versions only.
> And acronyms wear a bit thin and lose their meaning when multiple industries use the same one for differing meanings, case in point, to me an SMB has always meant a Small to Medium Business.



Server Message Block in this case, it's the Windows file sharing protocol.  It is on by default, and vulnerable.

At any rate a patch was even made available for XP, so it's certainly there if you look.


----------



## Octopuss (May 17, 2017)

R-T-B said:


> Yes, if the smb port is exposed anyways.  In a default windows setup it is.


Isn't that related to local networks only though?


----------



## Caring1 (May 17, 2017)

R-T-B said:


> ... it's certainly there if you look.


I'm fully up to date so it should be installed already *crosses fingers.
I don't really care either way as there's nothing in particular worth stressing about on my computers, and a quick wipe and re-install should fix it.


----------



## Nosada (May 17, 2017)

It's SMB1 specifically, which is disabled by default in W10. Also, who the hell has SMB ports open to the internet? The virus most definitely DOES get in via fishy mails, but can spread via SMB1 afterwards.

Source: Just spent a week hardening 152 BU's to this crap, because not everyone was smart enough to install the windows patch that made you immune to this 2 months ago when EternalBlue was leaked and MS released MS17-010.


----------



## P4-630 (May 17, 2017)

Well I got this popup from Comodo Firewall (free) a few days ago:


----------



## CAPSLOCKSTUCK (May 17, 2017)

Nosada said:


> It's SMB1 specifically, which is disabled by default in W10




i just  disabled mine.......it was ON by default.


----------



## INSTG8R (May 17, 2017)

CAPSLOCKSTUCK said:


> i just  disabled mine.......it was ON by default.


Exactly so was mine. So easy to do, so just do it.


----------



## Caring1 (May 17, 2017)

CAPSLOCKSTUCK said:


> i just  disabled mine.......it was ON by default.


Care to explain how?


----------



## rtwjunkie (May 17, 2017)

Octopuss said:


> I thought people always get infected with this stuff purely because they clicked on fishy links.
> Are you saying one can theoretically get infected with this by just having his PC turned on?


Yes. And not just theoretically. For real.  and not the first infection that can be gotten without clicking on suspicious links or by going to dodgy websites.


----------



## CAPSLOCKSTUCK (May 17, 2017)

if we can keep it civil, this thread could be a good resource.


----------



## burebista (May 17, 2017)

Caring1 said:


> p.s. there is no SMB setting in W7 Windows Features.


Yep, you should do some stuff to disable SMBv1.


----------



## HTC (May 17, 2017)

Tried to do a search for it, as i too am a Windows 7 user and came up with this. Problem is i dunno if i even need it because i'm not running a server and also, it doesn't show in the windows feature section either:



EDIT



INSTG8R said:


> If you can't find Windows Features I feel sorry for you...it's not moved since XP



Don't assume that, just because you know how to do something, everyone else does too. Also, it's not in windows features, as the pic above clearly shows.


----------



## ShurikN (May 17, 2017)

This patch that everyone is talking about, did it come with Creators update, or do you have to install it by yourself?


----------



## Liviu Cojocaru (May 17, 2017)

I am an IT technician and these days it's all about this damn exploit, best thing to do in this case is to keep your Windows and Antivirus up to date, also avoid opening email attachments if you're not 100% sure of the provenience of the file.

How to disable SMB:

http://www.vinransomware.com/blog/h...ndows-machines-to-prevent-wannacry-ransomware


----------



## SnakeDoctor (May 17, 2017)

Eset up to date - ESET detects and blocks the WannaCryptor.D threat and its variants
Turned off smb in Win8.1


----------



## INSTG8R (May 17, 2017)

I'm wondering if it's still BITS on W7?


----------



## HTC (May 17, 2017)

Liviu Cojocaru said:


> I am an IT technician and these days it's all about this damn exploit, best thing to do in this case is to keep your Windows and Antivirus up to date, also avoid opening email attachments if you're not 100% sure of the provenience of the file.
> 
> How to disable SMB:
> 
> http://www.vinransomware.com/blog/h...ndows-machines-to-prevent-wannacry-ransomware



Used the powershell method but copy / paste wasn't working because it wasn't the same as what was in the powershell pics: once i matched it, it was done.

Thanks.


----------



## Countryside (May 17, 2017)

ShurikN said:


> This patch that everyone is talking about, did it come with Creators update, or do you have to install it by yourself?



Patch is in windows update you dont have to download it manually just make sure that your pc has checked and downloaded the latest updates.

So a little preventing Summary 

1.Make sure windows is up-to-date
2.Antivirus is up-do-date
3.Do not visit dodgy websites and do not open unknown emails.


----------



## HTC (May 17, 2017)

Countryside said:


> Patch is in windows update you dont have to download it manually just make sure that your pc has checked and downloaded the latest updates.
> 
> So a little preventing Summary
> 
> ...



The highlighted part is relative because it could very well be from a known friend that just happened to be (unknown to him / her) compromised.


----------



## jboydgolfer (May 17, 2017)

mine was set t off (win10) i cant recall if i turned it off, as for years i have been removing what i didnt use from the features list.....maybe it turned out to be a good habit   ...

looks like V1 isnt turned off though.


----------



## rtwjunkie (May 17, 2017)

Countryside said:


> Patch is in windows update you dont have to download it manually just make sure that your pc has checked and downloaded the latest updates.
> 
> So a little preventing Summary
> 
> ...


Good advice, except Wannacry didn't spread by #3.  

Also, a good percentage of people's other infections happen via "drive by" at known websites.


----------



## metalslaw (May 17, 2017)

Good info on how this variant has already been disabled,

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

However, there is every chance another variant can come along, so patch your o/s


----------



## R-T-B (May 17, 2017)

Nosada said:


> It's SMB1 specifically, which is disabled by default in W10. Also, who the hell has SMB ports open to the internet?



A lot more than we'd like to believe, judging from the spread.  Then again, I know tons of people who plug in directly to their modem and assume Windows Firewall has them covered.  It does not.

Pretty sure SMB1 is enabled in Windows 10 by default too, the shares are just shutdown.  That is enough.


----------



## jboydgolfer (May 17, 2017)

R-T-B said:


> Pretty sure SMB1 is enabled in Windows 10 by default too



Your assumption is Correct (confirmed)


----------



## INSTG8R (May 17, 2017)

jboydgolfer said:


> Your assumption is Correct (confirmed)


Oh yes it's on. I've already walked a few friends thru it already to turn it off.


----------



## TheMailMan78 (May 17, 2017)

Jesus Christ just keep your OS updated and your anti-virus updated. MS even updated XP for this one because some dumbass governments still use it. No need to turn anything off.

Its really NOT a big deal. Only thing that made this ransomware famous is the fact its source code came from the NSA via a leak.

Nothing to see here. Unless you are super cool 1337 haxor that doesn't update their OS because Microsoft is a capitalist pig and anti-viruses are for noobs. Then you might have an issue.


----------



## alucasa (May 17, 2017)

I forgot what version of smb Samba uses.


----------



## TheMailMan78 (May 17, 2017)

alucasa said:


> I forgot what version of smb Samba uses.


No need to turn it off man.


----------



## Solaris17 (May 17, 2017)

The SMB just prevents the worm from hitting you. even with it enabled if you are patched up you should be fine. However the initial infection can also come from an email.

Make sure that you are not opening PDFs and other attachments from stuff you know nothing about. A popular attack vector right now is forged UPS/FedEx emails. Didn't order anything? Then you DON'T have a package waiting.


----------



## alucasa (May 17, 2017)

UK's hospital network was hit hard. The media claimed it was an attack but I bet 4 quid that some dude opened a dodgy e-mail attachment.


----------



## HTC (May 17, 2017)

alucasa said:


> *UK's hospital network was hit hard*. The media claimed it was an attack but I bet 4 quid that some dude opened a dodgy e-mail attachment.



Over here as well: wouldn't be surprised if that was the reason either!


----------



## TheMailMan78 (May 17, 2017)

alucasa said:


> UK's hospital network was hit hard. The media claimed it was an attack but I bet 4 quid that some dude opened a dodgy e-mail attachment.



Yeah I would have someones head for two things. Not keeping the system patched and updated AND find out computer zero is in that network. They need some IT education.

Its peoples health and they have REE REEs running the IT department.


----------



## RejZoR (May 17, 2017)

Proof that antiviruses still make sense and dismissing them as useless is just idiotic:
http://weblog.av-comparatives.org/proactive-protection-wannacry-ransomware/

All 4 free antiviruses (avast!, AVG, AVIRA and Panda) protected from WannaCry before it was even spreading (proactively). There is also free tool called RansomFree which is proactive ransomware countermeasure. If people still get hit hard while all this free stuff is laying around, I can only call that pure idiocy.


----------



## Octopuss (May 17, 2017)

rtwjunkie said:


> Good advice, except Wannacry didn't spread by #3.


How, then? I am not really sure I understand. Local networks, sure. But through internet? That doesn't make any sense (to me). Someone would have to be scanning obscene IP ranges to find open ports. I can't think of any other way this sort of stuff could spread without the (l)user doing something.


----------



## P4-630 (May 17, 2017)

Ok just disabled Smb1 on my windows 8.1 system. (it was enabled).
I don't have a network of computers at home anyway.


----------



## RejZoR (May 17, 2017)

Octopuss said:


> How, then? I am not really sure I understand. Local networks, sure. But through internet? That doesn't make any sense (to me). Someone would have to be scanning obscene IP ranges to find open ports. I can't think of any other way this sort of stuff could spread without the (l)user doing something.



It literally spreads without user doing ANYTHING (other than having unprotected system by either not updating it regularly or not using antivirus).


----------



## bogmali (May 17, 2017)

Thread cleansed....If you're going to offer help, please do not be a jerk about it


----------



## BiggieShady (May 17, 2017)

Some good advices but nobody mentioned the first line of defense ... use NoScript and AdBlock Plus browser extensions whenever surfing for porn and warez


----------



## rtwjunkie (May 17, 2017)

BiggieShady said:


> Some good advices but nobody mentioned the first line of defense ... use NoScript and AdBlock Plus browser extensions whenever surfing for porn and warez


----------



## BiggieShady (May 17, 2017)

rtwjunkie said:


>


So, where from does John Doe get his malware most often?  You know I'm right.

edit:
Oh yeah, another popular way is through link in messenger (looking at you skype) from a friend whose account was hacked or credentials have been stolen/leaked.


----------



## NationsAnarchy (May 17, 2017)

Always have Adblock extension on your browser - and preferably NoScript. 
Latest patching, SMB1 disable, Server serivce disable, port blocking (445, 137, 138, 139 I believe).
Antivirus-wise, I'm using AVG Free, doing really well. 
And common sense is the most important, don't click on fishy stuff or emails.


----------



## Halo3Addict (May 17, 2017)

Solaris17 said:


> The SMB just prevents the worm from hitting you. even with it enabled if you are patched up you should be fine. However the initial infection can also come from an email.
> 
> Make sure that you are not opening PDFs and other attachments from stuff you know nothing about. A popular attack vector right now is forged UPS/FedEx emails. Didn't order anything? Then you DON'T have a package waiting.



Yes, I've had a few people click on links from UPS/FedEx that led to brute force attacks on our network. Luckily, we only allow 3 login attempts before locking a user out. It's so easy to to catch most of these things just by taking the time to look over the details. It's pretty obvious (to me) that I shouldn't be opening anything from fffffffff@domain.com saying I have a package.


----------



## alucasa (May 17, 2017)

Common sense should be renamed to rare sense. If common sense is as common as people claim, half of world's problems would be gone.


----------



## revin (May 17, 2017)

So I cant get any critical updates to apply since my copy is not activated, is this crypto thing just from a download or email or is it inside of internet sites somehow spreading just thru the browser?
Confused on just how many ways it is infecting..................................
I'm assuming MSE and Comodo CIS 10 is still up to the task of helping to prevent me from infection.
EDit I tried the disable of SMB not sure if it is or not


----------



## R-T-B (May 17, 2017)

TheMailMan78 said:


> Its really NOT a big deal. Only thing that made this ransomware famous is the fact its source code came from the NSA via a leak.



More the severity and scale of it.  Surprisingly few of the people I talk to are even aware it came from an NSA leak, and news outlets barely mention it as an aside.

It does illustrate however why stockpiling exploits instead of reporting them is a HORRIBLE idea.



> Someone would have to be scanning obscene IP ranges to find open ports.



This is constantly happening.  Fact:  If your SMB port is exposed to the internet (it is if you haven't blocked it somehow) and you aren't patched, you are going to be infected sooner or later.  It doesn't take THAT long to scan the entire IPv4 port range (probably a week tops).  Black hats pretty much do it regularly.



BiggieShady said:


> Some good advices but nobody mentioned the first line of defense ... use NoScript and AdBlock Plus browser extensions whenever surfing for porn and warez



Good general advice but actually does nothing for this particular bug/exploit.  That's just good common antimalware-in-general advice, not wannacry.


----------



## eidairaman1 (May 17, 2017)

CAPSLOCKSTUCK said:


> i am using IObit Malware Fighter and Defender  .......what else should i do?



Look for a certain patch ms has launched, idk if for 10 but it was so critical they released one for XP users...

I also use spyware blaster alongside MWB, SAS.


----------



## TheMailMan78 (May 17, 2017)

R-T-B said:


> More the severity and scale of it.  Surprisingly few of the people I talk to are even aware it came from an NSA leak, and news outlets barely mention it as an aside.
> 
> It does illustrate however why stockpiling exploits instead of reporting them is a HORRIBLE idea.


 I agree to an extent. What's a really horrible idea is letting civilian contractors access to classified info. Stockpiling cyber warfare tools is ok......in the hands of the military or the non-civilian branch of our intelligence agencies.

However if we did that some senator somewhere couldn't get kick backs from said contractors.

LET THE LEAKS FLOW.


----------



## R-T-B (May 17, 2017)

TheMailMan78 said:


> I agree to an extent. What's a really horrible idea is letting civilian contractors access to classified info. Stockpiling cyber warfare tools is ok......in the hands of the military or the non-civilian branch of our intelligence agencies.
> 
> However if we did that some senator somewhere couldn't get kick backs from said contractors.



The exploits being stockpiled will be discovered inevitably.  If it's a software-bug type exploit it should be reported to avoid general damage.  Heartbleed wasn't a NSA leak (but the NSA knew about it) and it did a fair bit of financial damage.

I maintain it's just a bad idea.  There are other ways to conduct "cyber warfare" (if we even consider that a legit thing) than stockpiling code exploits.  They will often end up backfiring and hurting you as well as your enemies.

There may be an editorial coming down the pipe on this and WannaCry.  You've been warned.


----------



## eidairaman1 (May 17, 2017)

INSTG8R said:


> I'm wondering if it's still BITS on W7?



Yes Background Intelligence Service
Askwoody.com/infoworld has info on this crap


----------



## R-T-B (May 17, 2017)

eidairaman1 said:


> Yes Background Intelligence Service
> Askwoody.com/infoworld has info on this crap



I'm unsure what BITS (related to Windows Update transfers) has to do with this at all?


----------



## Solaris17 (May 17, 2017)

R-T-B said:


> I'm unsure what BITS (related to Windows Update transfers) has to do with this at all?



it doesnt.


----------



## TheMailMan78 (May 17, 2017)

R-T-B said:


> The exploits being stockpiled will be discovered inevitably.  If it's a software-bug type exploit it should be reported to avoid general damage.  Heartbleed wasn't a NSA leak (but the NSA knew about it) and it did a fair bit of financial damage.
> 
> I maintain it's just a bad idea.  There are other ways to conduct "cyber warfare" (if we even consider that a legit thing) than stockpiling code exploits.  They will often end up backfiring and hurting you as well as your enemies.
> 
> There may be an editorial coming down the pipe on this and WannaCry.  You've been warned.


Have fun but, remember I will nuke it if its not factual.


----------



## R-T-B (May 17, 2017)

TheMailMan78 said:


> Have fun but, remember I will nuke it if its not factual.



Opinions can never be factual.  They can however be substantiated.


----------



## TheMailMan78 (May 17, 2017)

R-T-B said:


> Opinions can never be factual.  They can however be substantiated.


My opinions are fact.


----------



## wiyosaya (May 17, 2017)

burebista said:


> Yep, if you're unpatched and have ports UDP 137/138 and/or TCP 139/445 open to Internet.


Absolutely. Firewalls should block traffic to/from these ports and the internet. If the outgoing ports are not blocked, any smb activity will go out to the internet and basically advertise that there is a pc there.


----------



## HTC (May 18, 2017)

Some of the people here are claiming all one needs is to have antivirus and system updates up to date, but these people forget that it's not enough.

Why? Because for the antivirus companies to have "the antidote" for these viruses, they need to be aware they exist in he 1st place and the same can be said about OS vulnerabilities: if the OS manufacturer is not aware of the vulnerability existence, no updates fix it.

By the time antivirus companies come up with a fix as well as the OS manufacturer, the virus has already spread and, depending on it's propagation efficiency, it can affect quite allot of people / companies before it's stopped, either by an OS patch, antivirus "antidote", whatever else.

Once the OS vulnerability is identified and patched as well as antivirus companies come up with fixes, then *and only then* all one needs is to have antivirus and system updates up to date.


----------



## silkstone (May 18, 2017)

Putting your computer behind a router with a firewall should be all you need. Just ensure that you don't forward more ports than necessary.
Any program that is open to the internet, keep updated.

I have a Raspberry running most of the services I require remote access to and I can't imagine people spending too much time looking for exploits in Raspbian.


----------



## P4-630 (May 19, 2017)

*Windows XP PCs infected by WannaCry can be decrypted without paying ransom
https://arstechnica.co.uk/security/2017/05/windows-xp-wannacry-decryption/*


----------



## RejZoR (May 21, 2017)

As I've concluded from this thread that just got locked:
https://www.techpowerup.com/forums/threads/how-sure-are-you-about-your-av.233457/

People aren't interested in things that work, they want to run with their narrative, even if it's entirely wrong on so many levels it's not even funny anymore.

*For the love of your safety and safety of "neighboring" systems, do the following:*
- Keep your OS fully updated at all times
- Use any FREE antivirus from a reputable vendor that has a good track record in reputable tests like AV-Test and AV-Comparatives
- Use RansomFree (It's free, has zero performance impact and is 100% focused on counter ransomware measures and works as additional layer to existing AV)

Don't listen to nay sayers who constantly whine how god damn clever they are and how much you don't need an AV because they know it better than whole teams of security experts. It costs nothing, has negligible performance impact, but can save you so much time and data. You'll thank me one day.


----------



## silkstone (May 22, 2017)

MBAM also has something called anti-exploit free. I'm not sure how good it actually is, but it uses minimal resources.

There was also not much you could do to protect from WannaCry, apart from having a fully patched system and AV.

https://arstechnica.com/security/20...reason-last-weeks-wcry-worm-spread-so-widely/

This adds support to the claim, that no matter how careful you are in your browsing habits, AV is still needed.


----------

