WebVision-It

Just another WebvIsion weblog

GPO DISABLE SMB1 – הגנה מוירוס הכופר

Disable SMBv1 Server with Group Policy:

This will configure the following new item in the registry


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 REG_DWORD: 0 = Disabled


To configure this using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.

smb3

In the New Registry Properties dialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0

smb2

This disables the SMBv1 Server components. This Group Policy needs to be applied to all necessary workstations, servers, and domain controllers in the domain.

Note: WMI filters can also be set to exclude unsupported operating systems or selected exclusions such as Windows XP.

Caution! Be careful when making these changes on domain controllers where legacy Windows XP or older Linux and 3rd party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.


Disable SMBv1 Client with Group Policy:

To disable the SMBv1 client the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: 4 = Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI”


Note: The default included MRxSMB10 which is now removed as dependency

To configure this using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.

smb3

In the New Registry Properties dialog box, select the following:

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 4

smb4

Then remove the dependency on the MRxSMB10 that was just disabled

In the New Registry Properties dialog box, select the following:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  • Value name: DependOnService
  • Value type REG_MULTI_SZ
  • Value data:
    • Bowser
    • MRxSmb20
    • NSI

Note: These 3 strings will not have bullets (see below)

smb7

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note: When using Group Policy Management Console, there is no need to use quotation marks or commas. Just type the each entry on individual lines as shown above:

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management will show the settings below.

smb6

Testing and Validation

Once these are configured, then allow the policy to replicate and update. As necessary for testing, run gpupdate /force from a CMD.EXE prompt and then review the target machines to ensure the registry settings are getting applied correctly. Also, make sure that SMB v2 or SMB v3 is functioning for all systems in the environment.

SOURCE : https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

now we need to create a logon script – powershell Script for windows 8/8.1/10 or servers 2012/2012r2/2016

User Configuration

Policies

Windows Settings

Scripts – Logon

add new

script name: powershell.exe

Script Parameters: Set-SmbServerConfiguration -EnableSMB1Protocol $false -force

install linux malware detect lmd On Centos-and-fedora

LMD is not available from online repositories, but is distributed as a tarball from the project’s web site. The tarball containing the source code of the latest version is always available at the following link, where it can be downloaded with:

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Then we need to unpack the tarball and enter the directory where its contents were extracted. Since current version is 1.4.2, the directory is maldetect-1.4.2. There we will find the installation script, install.sh.

# tar -xvf maldetect-current.tar.gz
# ls -l | grep maldetect

Download Linux Malware Detect

Download Linux Malware Detect

If we inspect the installation script, which is only 75 lines long (including comments), we will see that it not only installs the tool, but also performs a pre-check to see if the default installation directory (/usr/local/maldetect) exists. If not, the script creates the installation directory before proceeding.

Finally, after the installation is completed, a daily execution via cron is scheduled by placing the cron.daily script (refer to the image above) in /etc/cron.daily. This helper script will, among other things, clear old temporary data, check for new LMD releases, and scan the default Apache and web control panels (i.e., CPanel, DirectAdmin, to name a few) default data directories.

That being said, run the installation script as usual:

# ./install.sh

Install Linux Malware Detect in Linux

Install Linux Malware Detect in Linux

Configuring Linux Malware Detect

The configuration of LMD is handled through /usr/local/maldetect/conf.maldet and all options are well commented to make configuration a rather easy task. In case you get stuck, you can also refer to/usr/local/src/maldetect-1.4.2/README for further instructions.

In the configuration file you will find the following sections, enclosed inside square brackets:

  1. EMAIL ALERTS
  2. QUARANTINE OPTIONS
  3. SCAN OPTIONS
  4. STATISTICAL ANALYSIS
  5. MONITORING OPTIONS

Each of these sections contains several variables that indicate how LMD will behave and what features are available.

  1. Set email_alert=1 if you want to receive email notifications of malware inspection results. For the sake of brevity, we will only relay mail to local system users, but you can explore other options such as sending mail alerts to the outside as well.
  2. Set email_subj=”Your subject here” and email_addr=username@localhost if you have previously set email_alert=1.
  3. With quar_hits, the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
  4. quar_clean will let you decide whether you want to clean string-based malware injections. Keep in mind that a string signature is, by definition, “a contiguous byte sequence that potentially can match many variants of a malware family”.
  5. quar_susp, the default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.
  6. clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.

Important: Please note that quar_clean and quar_susp require that quar_hits be enabled (=1).

Summing up, the lines with these variables should look as follows in /usr/local/maldetect/conf.maldet:

email_alert=1
email_addr=gacanepa@localhost
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1



Other Short Options

1 – Install maldet

cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh

This will automatically install a cronjob inside /etc/cron.daily/maldet so a daily scan will be run for local cPanel or Plesk accounts.
2 – Make sure to update to the latest version and virus signatures:

maldet -d && maldet -u

3 – Run the first scan manually

To scan a specific user’s home directory, run the following command:

maldet -a /home/user

To launch a background scan for all user’s public_html and public_ftp in all home directories, run the following command:

maldet -b –scan-all /home?/?/public_?

(We also recommend you to scan /tmp and /dev/shm/)

4 – Verify the scan report

We recommend you to always read the scan reports before doing a quarantine. You will also be able to identify infected websites for further actions.

List all scan reports time and SCANID:

maldet –report list

Show a specific report details :

maldet –report SCANID

 

Show all scan details from log file:

grep “{scan}” /usr/local/maldetect/event_log

 

5 – Clean the malicious files

By default the quarantine is disabled. You will have to launch it manually.

maldet -q SCANID

clamav – How To

  • Install 
    sudo apt-get install clamav
  • Terminal

    At first you have to update the virus definitions with:

    sudo freshclam
    

    Then you can scan for viruses.

    clamscan OPTIONS File/Folder 
    

    If necessary start with root permissions: sudo clamscan.

    Examples:

    • To check all files on the computer, displaying the name of each file:
      clamscan -r /
      
    • To check all files on the computer, but only display infected files and ring a bell when found:
      clamscan -r --bell -i /
      
    • To scan all files on the computer but only display infected files when found and have this run in the background:
      clamscan -r -i / &
      

      Note – Display background process’s status by running the jobs command.

    • To check files in the all users home directories:
      clamscan -r /home
      
    • To check files in the USER home directory and move infected files to another folder:
      clamscan -r --move=/home/USER/VIRUS /home/USER
      
    • To check files in the USER home directory and remove infected files (WARNING: Files are gone.):
      clamscan -r --remove /home/USER
      
    • To see more options:
      clamscan --help