AnsweredAssumed Answered

MS17-010 - Detection of Workaround

Question asked by Abner Almeida on May 15, 2017
Latest reply on May 16, 2017 by Jimmy Graham

Hello, guys

 

I need some help regarding the detection of the QID 91345.

First of all, let me quote Microsoft's Technet post on MS17-010, in the workaround section:

 

For server operating systems:

  1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  3. Restart the system.
     

Impact of workaround. The SMBv1 protocol will be disabled on the target system.

In some of our servers, our Windows team was not able to apply the patch, so they executed the steps described above. But Qualys keeps reporting this:

 

 

 

Or this:

 

 

Is this correct? I mean, I know that if the patch was not applied, of course Qualys will detect it. Although, shouldn't this QID detect whether of not the workaround was executed? Or am I wrong?

 

In our company we work with Remediation Tickets to keep track of pending and fixed vulnerabilities. If I am wrong in my thoughts, what should I do? Set the remediation tickets to "Closed/Fixed" in the servers in which the workaround was done?

Any suggestions?

Outcomes