AnsweredAssumed Answered

How Qualys Appliance detect QID1037- Petya Ransomware

Question asked by darknight on Oct 12, 2018
Latest reply on Oct 12, 2018 by StjepanSusnjar

Hello Community, 

 

We tried to apply all work around suggested by Qualys knowledge base: 

To Protect your systems:
- Apply Microsoft patches where relevant MS17-010 and KB4012598 ==> DONE
- Use the Windows AppLocker feature to disable the execution of files named perfc.dat and PSExec.exe. 
- Disable WMI. Disable SMBv1.
- Block TCP Port 445 at the perimeter.  
- Make sure systems are running up to date anti-malware. ==> DONE
- Block ADMIN$ access via GPO.

- Maintain good back-ups so that if an infection occurs, you can restore your data.==> DONE

Cleaning up Infected systems:
- Contact your Anti-Malware vendor to remove the infection. 
- Restore data from a known good backup.

 

We still detect the QID.

My question is what detects the appliance? Is it just a check on Port 445 and the appliance give back a vulnerability based on this? 

Is it a check of what is actually installed on the machine? 

We installed a false Petya file in our systems, we wanted to be sure that we take no risks by deleting it. 

 

Regards,

Outcomes