I should start by saying that I always keep Windows’ Task Manager and Resource Monitor open as soon as I start my PC, so I can see suspicious processes & connections immediately, and to get a feeling for which processes are “normal” etc.
I’ve been doing that for months already, but only about 2 weeks ago Windows’ Powershell suddenly started to be automatically executed exactly 20 minutes after I turn on my PC, every time (seems to be a scheduled task), and after that keeps being executed in certain intervals. It’s not visible on the desktop, and only sometimes visible in Task Manager for a split second, but Resource Monitor shows what files it accesses for about half a minute or so.
Of course that really worried me because it had never happened before and could be caused by all kinds of things, but since I saw the Powershell access some Avast .dll & .log files, I thought it may be a new Avast function or something, so I came here to ask if that is the case? Here you can see some of the files that are being accessed, Avast files highlighted: https://i.imgur.com/VUUF96b.png
So is that actually an Avast (or Windows?) function, or do I need to be worried?
I think I found the scheduled task that causes this, it seems to be Microsoft\Windows\SMB\UninstallSMB1ClientTask, since that one actually does start a Powershell and shows that it has run every 20 minutes, which matches what I always see in Resource Monitor (even though it’s not always visible every 20 minutes there).
What I don’t understand is, if that’s actually some kind of “uninstall” thing for SMB1, why does it have to run dailyand every 20 minutes? That doesn’t make much sense to me. Does anyone have any info on that?
The additional “arguments” of that scheduled task say: -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden “& %windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client”
Strange that this is a default setting on a fully up to date version of win10 Home 64bit, if it is such a risk, surely Microsoft should have disabled it ?
Microsoft even stated that if you’re using the latest version, that this SMB1 would already be unchecked. It was not. I unchecked it manually.
As kwiq stated, MS has released a patch that fixes the vulnerability. All you need to do is apply the patch.
Thanks for the link, strange that on my win10 laptop, it has supposedly had all of the Program Updates and the patch Tuesday updates, yet this SMB was still present.
I manually removed it using the Programs and Features > Turn Windows Features on or off, as in Bobs image and it required a reboot afterwards.
Looking at the Security bulletin from 10/11/2017, it doesn’t mention windows version 1803 as that wasn’t out then. The latest version listed in the bulletin for win10 64bit was ‘Windows 10 Version 1607 for x64-based Systems.’ The Win 10 Creators Update, Windows version 1703 came after that plus Version 1709, plus Version 1803 all very large Windows Program updates, yet this setting survived that.
So I don’t know if running that old Security update retrospectively would be wise on a later windows 10 version/s ?
As in, could it have an unforeseen impact with anything else that might be reverted.
Or would the manual removal using the Programs and Features > Turn Windows Features on or off be sufficient, certainly for this vulnerability ?
I have no problem with having done the manual side of it , removing the feature as in your image.
I just didn’t want to run an OLD security bulletin when there has been two or more major program updates since then and how this might impact on later program version already updated. We don’t know exactly what Microsoft might have done in this security bulletin (other than what we did manually), we are meant to trust them.
They, Microsoft have said it should have removed/unchecked the SMB feature, yet both you and I have found that it is/was still enabled, trust is a double edged sword.
I didn’t have a clean 1803 install, it was upgraded from 1709, and yes, this SMB1 feature was also activated for me - I just disabled it. I have no idea if that will stop the Powershell stuff, I’ll let you know when I find out. However the second entry on bob3160’s image (“SMB Direct”) is also enabled, it says it’s for SMB 3.x. Should I disable that too or is it necessary for certain things to function? On bobs’ image it’s also disabled.