Follow these procedures:
Check if result is Logged or Blocked
If the result is ‘Logged’, configure Suspicious Connection Setting and set the action to ‘Block’.
- Log on to the OfficeScan Management Console.
- Go to Agents > Agent Management.
- In the Agent Tree, select the OfficeScan Server/Domain/Computer.
- Go to Settings > Suspicious Connection Settings.
- Set the action to ‘Block’ and then click Apply to All Agents.
For malware network fingerprinting, the action ‘Block’ is not available on OfficeScan 11.X. Upgrade to OfficeScan XG.
Identify the source
For the Relevance Rule Pattern MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT*, if the traffic direction is ‘Incoming’, the source is the ‘Remote IP’ and vice versa. Thus, on the example above, the source is 192.168.10.144.
Patch and clean the source
- Refer to Microsoft Security Bulletin MS17-010 for the patch corresponding to your Operating System. On the other hand, refer to this checklist to verify if the patch is installed. You can use our Validation Tool to verify if the patch is installed. It also provides the option to disable SMBv1 via registry as a workaround solution.
- Clean the source using ATTK (Anti-threat Toolkit). Refer to the section ‘Clean infected computers’.
- Ensure that the source has anti-malware installed.