OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

I have recently loaded Avast onto a new computer. I apparently visited a suspect website, which resulted in this computer launching an “OS Attack: Microsoft SMB MS17-010 Disclosure Attempt” on another computer on my LAN. This attack was detected by Nortons, so although many deride this software, it did protect the second computer. Avast on the new computer has not given any indication that it was/is aware of any problems.

Why didn’t Avast detect and protect my LAN from such an attack?

It certainly does not encourage me to purchase a license for Avast.

GPython61

Can you attach a screenshot of the warning Norton has given you?

People commonly associate “X AV found this but Y didn’t! Therefore Y program is bad!” which is untrue. False Positives are a thing, in which case X AV is bad and Y AV is good.

Looks like 17-010 is loosely tied with WannaCry exploits?

Is this a server or a desktop?

Also, how is your network acting? I pulled the information from Norton’s Sec Res department.

Note: To successfully exploit this issue, an attacker would need to negotiate a connection to SMBv1 as a part of the attack.

Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.

Source: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23875

A DoS attack would leave your network very slow potentially, especially if they keep doing it.

Addition:

To further this: Pondus PM’d me this link.

https://www.symantec.com/connect/forums/ntp-os-attack-microsoft-smb-ms17-010-disclosure-attempt

HonzaZ, one of the people working for Avast! was BCC’d into Pondus’ and I’s conversation, so he may show up here and attempt to solve the problem. Or, if he isn’t the person to talk to, he should be able to contact someone else who could assist; or point you in the right direction.

Attached is a screen capture of Norton’s Security History entry for the attack.

Surprisingly the new computer is unable to connect to my Homegroup, which is a completely different issue, but was able to launch the attack. Both computers are desktop computers in a home LAN environment. Excluding the new computer, I have two desktops and two laptops included in my Homegroup. Only the new desktop and one desktop, which is working with the Homegroup, were on at the time of the attack. Also, apart from being unable to get my new computer on my Homegroup, apparently the fault of Windows 10, the network seems to be working well.

EternalBlue MS17-010
http://www.wired.co.uk/article/what-is-eternal-blue-exploit-vulnerability-patch
https://www.computerworld.com/article/3197421/networking/the-windows-firewall-is-the-overlooked-defense-against-wannacry-and-adylkuzz.html

Close port 445 see post from @PDI >> https://forum.avast.com/index.php?topic=208445.msg1419511#msg1419511

Hello,

Did you run the WiFi Inspector scan or Smart Scan from Avast?
If yes, it is possible, that Norton detected this scan.
The WiFi Inspector scan is trying to determine if any of your devices on the network are vulnerable to this attack and it is possible that Norton detects this.

Filip