How are you all handling the malware ambush

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
at work we had to stay overtime for two hours to deal with the massive malware that broke out on Friday (March 16). Our company has a lot of remote users who had to call in and wait on hold forever to be patched.

was there a working auto-patch deployment that you all implemented for remote user.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+


  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    Some suggestions and random thoughts.

    In a previous engagement, we had users who for various reasons ignore Windows's notification to reboot PC for security updates; they either never logoff or just put laptop to sleep or hibernate mode. Some of them require local administrator access due to nature of their work. We had laptops that were almost a year behind for security patches. icon_redface.gif We ended up using group policy to enforce automatic updates and force their PCs to reboot after applying. icon_rolleyes.gif

    Wannacry uses a Mutex. If you create the mutex say via PowerShell, it will not encrypt. Some tools have been released that does this, e.g. and

    You can
    disable SMB1 to prevent worm from infecting those that are not patched. In my previous job, we disabled SMB 1 for all our production servers as a preventive measure. Windows Vista/Server 2008 and higher supports SMB2. If you have Linux boxes, SAMBA 3.6 and higher supports SMB2. And that was in 2015. Even Microsoft gave the same advice in 2016.

    Usual disclaimer applies: The above are suggestions; you need to test and I am not responsible. icon_rolleyes.gif

  • sillymcnastysillymcnasty Member Posts: 254 ■■■□□□□□□□
    Had to stay 2 hours to patch a few machines. bcrypt.dll was the thing we had to make sure was updated.
  • Cisco InfernoCisco Inferno Member Posts: 1,034 ■■■■■■□□□□
    emergency patching of about 2000 servers.

    Thank god I didnt have to :D
    2019 Goals
    CompTIA Linux+
    [ ] Bachelor's Degree
  • PC509PC509 Member Posts: 804 ■■■■■■□□□□
    For WannaCry/WannaCrypt, just some late night patching/rebooting of servers that weren't auto-reboot or needed a last minute patch. SCCM pushed all the other updates out to clients and forced auto-reboot. So, we were good there. Others that are rarely connected to the network were set up and updated.

    Not a bit deal. Nothing was infected. But, we are safe.

    We did get a few hits on the DocuSign thing, though... Still working on that.
  • kuen332211kuen332211 Registered Users Posts: 4 ■□□□□□□□□□
    the following is a video made by me to share how i handle the problem
  • blatiniblatini Member Posts: 285
    kuen332211 wrote: »
    the following is a video made by me to share how i handle the problem

    People pointed out in the other thread but you probably don't want to click this.
  • merc.man87merc.man87 Member Posts: 50 ■■□□□□□□□□
    Disabled SMBv1, lots of patching, temporary suspension of VPN for remote users.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    Not aware of any issues where I work, they are pretty much on top of patching and when you connect via VPN, it forces your laptop to take patches without even asking you. At work we can usually delay the patching for a few hours if were in the middle of something, but remote users don't have that option. Even the servers are up to date if a computer's OS can't be upgraded for some reason, it's not allowed on the network.
    Still searching for the corner in a round room.
Sign In or Register to comment.