Patch lady – Scanners and SMBv1

Topic

New Reply

So if your older scanner suddenly doesn’t work consider this:  In 1709 if you did an in place upgrade, you retain the SMBv1 in your networking configu
[See the full post at: Patch lady – Scanners and SMBv1]

Susan Bradley Patch Lady

5 users thanked author for this post.

Rick Corbett, AlexEiffel, woody, zeuswoz, columbia2011

Reply | Quote

Replies

Hey Susan,

Most useful – many thanks for picking this up.

I actually did spot it couple of times in the Event Log so two probably very silly questions from me:

* how do I find out which device still uses SMBv1 and (assumingly) makes Windows 10 1709 re-adding it every now and then? I own only few of such beasts at home:

1. -old-ish Vista laptop
2. -new-ish 8.1 laptop
3. -new-ish HP network printer
4. -new-ish personal network cloud device?

* how do I disable this process completely and ensure that SMBv1 does not get reinstated at all?

Reply | Quote

Barb Bowman just tweeted:

https://twitter.com/barbbowman/status/985848319116275712

I believe @nerdpyle is still maintaining the list at https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/ …  of bad actors requiring SMB1

2 users thanked author for this post.

HiFlyer, krzemien

Reply | Quote

Thanks Woody

Have some idea now what seems to be triggering this unexpected and unwanted install as I forgot about my broadband monitor (courtesy of Samknows) that – I think – uses customised TP-Link hardware.

Will check later today and follow up with vendor..

Reply | Quote

Here’s the command that runs which includes the location of the script. (on windows 10 machines)

[*COMMAND*] & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client

I noticed after I let it run on my machine the disable unused smb1.ps1 file is removed from that location.

Microsoft is also running another script related to Microsoft Office. I plan on posting in the MS Office forums when I get a chance as quite frankly I’m not sure what it’s doing and I’m sure someone here can let us know.

DisableUnusedSmb1.ps1 -Scenario Client  is the full command.

Red Ruffnsore

Reply | Quote

My printer/scanner is alright-Just tested it and it’s working fine

Reply | Quote

SMB1 is a potential vulnerability only if your Windows Networking is accessible directly to systems on the Internet (not typical if you have a NAT router), or can potentially have untrustworthy systems on your LAN/wifi (which could include transitory things like laptops, phones, TV devices, IOT boxes, etc.).

I guess there’s also the possibility that one of the several IPv6 tunneling protocols could be exposing Windows Networking to systems abroad. I haven’t really looked into the specifics of what passes through because I simply don’t leave tunneling enabled.

IOT, LOL… I see that our HP networked printer tries from time to time to connect to servers online. And it tries to make Windows Networking connections to my Windows systems. Suspicious much? All are blocked, and yet lo and behold I can still print out tax forms. And aw, poor HP doesn’t get minute by minute notifications of whether I’m using refilled ink cartridges, or other things about my LAN…

-Noel

3 users thanked author for this post.

Cascadian, AlexEiffel, HiFlyer

Reply | Quote

Saw this just yesterday speaking of Internet of Things:  https://www.businessinsider.com.au/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=US&IR=T

Susan Bradley Patch Lady

6 users thanked author for this post.

AlexEiffel, SueW, woody, HiFlyer, Elly, b

Reply | Quote

Yeh, I have an old Intel RAID NAS box stuffed with enterprise drives that I occasionally use for non-critical, off-line storage. It requires SMBv1 and will never receive a firmware update, so I enable/disable SMBv1 via batch file as required.

I hadn’t thought about the Epson photo/slide scanner (thanks, Sue). Just checked and it seems to be OK as is an older, networked HP laser printer as currently configured.

I hate to discard serviceable hardware because … well, I’m a money miser.

– Carl –

1 user thanked author for this post.

HiFlyer

Reply | Quote

So 15 days after SMBv1 on the client is not used, the system will send a dism command to disable SMBv1.

If suddenly your clients or you can’t scan to computer or scan to share, see if you can spot this in your event log…

Speaking of A.I. and built-in intelligence… wouldn’t it be an awfully nice gesture, if the OS send the user a warning before making system changes and sending users on a wild goose chase?

1 user thanked author for this post.

Cascadian

Reply | Quote

As the saying goes: Artificial intelligence, natural stupidity.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b1 MicrosoftDefender

1 user thanked author for this post.

Cybertooth

Reply | Quote

I had to keep SMB1 enabled on both my home network and the office network since we had issues with older printers, and since we had issues with computers not being able to see other computers on the networks. Fortunately, we use the same antivirus software both at home and at the office. The antivirus software has features which prevent any unauthorized processes from running, and also which prevents any unauthorized program or process from modifying data on protected partitions and folders which we specify. And of course both my home network and the office network are behind routers with NAT and with no other pass-throughs since we don’t allow PPTP or any other hokey stuff.

The upshot is that if you really need to have SMB1 enabled on your network, then look for antivirus solutions which are up to snuff in terms of preventing ransomware and 0-day attacks against protected data storage locations on your network. I am sure that there are some good experts here in this regard, yet I ain’t one of them. We learned the hard way about ransomware and about the stupidity of failing to perform regular backups when we were hit with CryptoLocker in January 2014. We had to pay the ransom, and luckily over 99% of everything got decrypted. That took a while — nearly all weekend.

And on one final note, office employees should always shut down their computers every day before they leave. Why? Because the computer this a running could be the computer that is a encrypting — unbeknownst to everyone. Most ransomware shuts down when the computer is shut down or rebooted, and will display the ransom message upon restart.

Reply | Quote

Hey Y’all,

I had my home network go bonkers last evening. I couldn’t connect to any machine from any machine all Running Win 10 1709 using Advanced sharing to Authenticated Users Only.

I had turned off SMBv1 the other day after I got a firmware upgrade from WD for my MyBookLive and everything was working fine until last night.

I was going a little nuts at 01:00 this morning when I just went to bed. When I got up this morning I remembered the SMBv1 setting so decided to turn it back on to see if it fixed the problem and lo and behold we have network!

So what changed? I can’t see anything in Windows update log.

Anyone else seeing this?

OOPS! Just saw KBs 4093112 & 4090913 installed yesterday on my main box. Must have happened when I wasn’t looking! They, however, are not installed on my test box or my spouses machine.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote