Why not deal with the root cause in disabling smbv1 where possible across your windows assets?
Enhance your ids and ips at edge network and internal network to detect attack signatures of malware spread and update your av sigs. Can use a nap script to look for smbv1 enabled hosts via lua scripts to scan your internal hosts to understand the population of assets that are vulnerable to exploitation. Food for thought. Ed On Jun 28, 2017 10:11 AM, "James Rankin" <ja...@htguk.com> wrote: > Have you got a filter applied? You may need to add Domain Computers to it > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael Leone > *Sent:* 28 June 2017 14:13 > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] Using GPP to fight Petya > > > > So I'm confused. Looking at this page: > > > > https://www.binarydefense.com/petya-ransomware-without-fluff/ > > > > Shows using GPP to create a file "c:\windows\perfc.dat". Apparently, if > this file exists, the malware stops (yes, I know that there will be a > variant Real Soon Now that avoids this). > > > > So I made this change: > > > > Computer\Preferences\Windows Settings\Files > > > > And followed the web page ("update", copy windowsupdate.log to > c:\windows\perfc.dat", make it read-only. Did all this on a testing GPO I > keep around for this purpose. > > > > Doing Group Policy Modeling Wizard, I see this being applied as a setting > to my test VM. Yet when I go an look in c:\windows, I don't see the > file.Nor do I see that setting in "gpresult /r /v". > > > > What have I done wrong? > > > > > > >
