NetFort Advertising

Looking to Download VAST to Root Out SMBv1? Try This Alternative

What is SMBv1?

SMB operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. Microsoft has implemented three versions of SMB over the years; SMBv2 and SMBv3 are much more secure than SMBv1.

Many Ransomware and Cryptocurrency mining malware variants spread from computer to computer by exploiting critical vulnerabilities in Microsoft’s implementation of SMB version 1. Microsoft recently announced that their security visualization tool (VAST) can report on SMBv1 activity. This is in a response to demand from network and security managers who want to find out if SMBv1 is still active on their networks. However, before you download VAST let’s take a look at the alternatives.

How to root out SMBv1 from your network. Should you download VAST or use an alternative?

There are two primary ways to detect SMBv1 activity on your network. You can either use log files or you can analyze the network traffic going to and from your file servers. Log files will require changes on your file servers, you will need to increase the logging to capture SMBv1 events. Traffic analysis is passive and will not have any performance or storage impact on your servers but you do need to setup a SPAN or mirror port.

Using log files to detect SMBv1

At the end of March 2018 , Microsoft unveiled Project VAST or the Visual Auditing Security Tool (VAST). It uses Windows event logs as a data source and Azure Log Analytics to filter on EventID 3000 for each and every time that a client attempts to access the server using SMB1. You do need to enable auditing on every file server using the command below and this approach does not work for non Windows devices like NAS units.

$computers = Get-Content “c:\SMB_computers.txt” foreach ($computer in $computers) {Invoke-Command -ComputerName $computer -ScriptBlock {set-smbserverconfiguration -auditsmb1Access $true -Force}}

The image below shows an example of these events. You could manually check for these events if you only have a single file server but you will be better off to use a separate application to do this job if you have multiple servers.

SMBv1 EventID 3000. Download VAST if you need a tool to filter these events in a report

Using network traffic analysis to detect SMBv1

A more passive approach to detecting SMBv1 involves the use of network traffic analysis. To get a data source you need to monitor network traffic going to and from any file server or network attached storage device. This is easy to setup as all managed switches have a feature called SPAN ports or port mirroring.

The image below shows a typical setup. A copy of the traffic passing through the core switch is sent to the monitoring port. You need to connect your traffic analysis application\device to this port and it checks the file share traffic for SMBv1 activity.

Capturing SMBv1 activity from network traffic

If you host your file servers on virtual platforms such as VMWare ESX you don’t need the SPAN or mirror port, you can monitor the traffic within the virtual environment by setting up a special virtual port group. We have a couple of videos on this page which describe the setup process.

The image below shows a sample report from our LANGuardian system which can be used to detect SMBv1 activity. It also integrates with Active Directory so you can also see the associated username.

Make sure you look at alternatives before you download VAST or similar log analysis tools. Will it be easier to monitor the traffic than make changes on your servers? Do you have any file sharing devices that don’t have logging capabilities?