Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT appears on the Suspicious Connection logs

    • Updated:
    • 25 Oct 2018
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
Summary

Microsoft Security Bulletin MS17-010 was published last March 14, 2017 to address multiple vulnerabilities in Microsoft Server Message Block 1.0 (SMBv1). The most severe of the vulnerabilities could allow remote code execution (RCE).

RCE is used to describe an attacker’s ability to remotely execute any command of choice from one computer to another. An attacker can exploit and possibly take full control of a computer which is vulnerable to RCE.

There are counterpart Trend Micro Relevance Rule patterns for these vulnerabilities to protect against network exploitation. Relevance Rule contains the “network fingerprints” of highly prevalent malware.

Pattern NameRelated Vulnerability
MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT_NC_

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT-2_NC_CVE-2017-0144
MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT-3_NC_Detects generic network traffic related to MS17-010
Details
Public

Follow these procedures:

Check if result is Logged or Blocked

Check Resul

If the result is ‘Logged’, configure Suspicious Connection Setting and set the action to ‘Block’.

  1. Log on to the OfficeScan Management Console.
  2. Go to Agents > Agent Management.
  3. In the Agent Tree, select the OfficeScan Server/Domain/Computer.
  4. Go to Settings > Suspicious Connection Settings.
  5. Set the action to ‘Block’ and then click Apply to All Agents.

    block

 
For malware network fingerprinting, the action ‘Block’ is not available on OfficeScan 11.X. Upgrade to OfficeScan XG.

Identify the source

For the Relevance Rule Pattern MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT*, if the traffic direction is ‘Incoming’, the source is the ‘Remote IP’ and vice versa. Thus, on the example above, the source is 192.168.10.144.

Patch and clean the source

  1. Refer to Microsoft Security Bulletin MS17-010 for the patch corresponding to your Operating System. On the other hand, refer to this checklist to verify if the patch is installed.
     
    You can use our Validation Tool to verify if the patch is installed. It also provides the option to disable SMBv1 via registry as a workaround solution.
  2. Clean the source using ATTK (Anti-threat Toolkit). Refer to the section ‘Clean infected computers’.
  3. Ensure that the source has anti-malware installed.
Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1121399
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.