Overview:
Wannacrypt is a ransomware attack mainly targeting Windows XP, Windows 7 and Windows 8 machines. The malware spread due to a SMBv1 vulnerability and has the capability to scan other vulnerable external and internal hosts. If successful, it will attempt to implement a backdoor and install the malware.
Recommendations:
- Pulse Secure recommends to review Microsoft's guidance about the attack and how to stay protected.
- Organizations should take steps to ensure all Windows devices are fully patched, including MS17-010.
- SMB ports (139 and 445) are blocked from all externally accessible hosts. If the patch cannot be applied, organization should consider disabling SMBv1 until the patch can be deployed.
Q: Can Host Checker detect if an endpoint is infected by the malware?
A: No. Pulse Secure recommends to contact your anti-virus or malware vendor for information about detection of the malware. However, Host Checker can help enforce certain anti-virus vendors are installed and ensure the latest virus definition list and a recent system scan is performed. For more information, please refer to
admin guide.
Q: Can Host Checker detect if the specific MS17-010 patch is installed?
A: No. The current patch management solution (in PCS 8.1RX / PPS 5.1RX and above) will detect if there are any missing patches. If a patch is available on Windows Update, WSUS or SCCM and the patch is not installed on the endpoint, the patch management policy will fail. The patch management solution provided previously in PCS 8.0RX / PPS 5.0RX did have this feature, but this solution was deprecated on September 2016. For more information about the deprecation, please refer to
TSB16374 - Updated: Software Deprecation Announcement - Patch Assessment Support.
Q: Can Host Checker detect if a Windows endpoint is fully patched? If not, can access be denied?
A: Yes.
This policy will enforce if any missing patches are detected for the applicable patch management software. When creating a patch management rule, the administrator will have following options:
- Microsoft Windows AutomaticUpdate (7.x): This option should be selected for endpoints utilizing the standard, built-in Windows Update.
- Microsoft Windows Update Agent (10.x): This option should be selected for Windows 10 endpoints utilizing a corporate Windows Server Update Service (WSUS).
- Microsoft Windows Update Agent (7.x): This option should be selected for Windows 7 and 8 endpoints utilizing a corporate Window server Update Service (WSUS).
- System Center Configuration Manager (4.x): This option should be selected if SCCM 4.X is utilized.
- System Center Configuration Manager (5.x): This option should be selected if SCCM 5.X is utilized.
Note: Leave the default options for severity (Critical and Important) and category (Security Update, Critical Update, Regular Update, and Driver Update) selected.
Q: If the endpoint fails the patch management policy, can host checker force a patch update?A: Patch remediation support is provided only using Microsoft’s SMS/SCCM clients.
Q: If the patch cannot be deployed and SMBv1 is disabled, is there any negative impact for Pulse Connect Secure and Pulse Policy Secure users?
A: Prior to disabling SMBv1, customers utilizing active directory authentication server and file share features should review the applicable KB's.
