Endpoint Protection

Hello All,

We have a requirement of Blocking SMBv1 Protocol from SEP Level.

Currently we are blocking SMBv1 from Windows Group Policy while allowing SMBv2 (More Secure).

Issue is that we have a lot of machines that are not part of our domain, and hence do not get Group policies.

We would like to block SMBv1 while keeping SMBv2 open from SEP client level itself.

They do use the same port 445, so not sure how to get this done.

Any Help would be appreciated.

Thanks

AJ

All versions of SMB use the same ports to communicate so if you block the ports it affects each version of SMB. Unless you have a next-gen firewall that can block at the application layer disabling SMBv1 via GPO is the way to go.

As an alternative, and as some of your machines have SEP but are not part of the domain, you might be able to use a HI policy to apply the reg changes to disable SMBv1, as a potential way of accomplishing your goal.

Obviously, this kind of change is beyond what SEP was designed for, so you'd need to come up with something of your own, but might be worth a shot!

If you know how to write custom IPS signatures (based on Snort syntax), you can use that feature of SEP to block specific packets for SMBv1.

Thanks Brian. Thats kinda where I was stuck at. Good to have a second opinion.

SMLatCST - I will check on that solution. not sure how I would go about it, but I will try.

Its a shame that other products can do it, but not SEP.

One of our sister companies use Trend Micro and are able to block just SMBv1 while keeping SMBv2 open. Hopefully symantec has such capabilities in their road map.