Hi I have VMware installed on my PC and created a virtual PC running windows 7 to run a program that won't run on win 10. At some point Norton alerted me to an attack on the host PC running windows 10 concerning an exploit of SMB 1.0 in windows. Norton stopped the attack. When I traced the IP address that was the source of the attack it turned out to be the IP address of the virtual PC in VMware on the local network.
My question is whether it's possible this really was an attack from an infected win 7 on VMware or could it be a result of how the virtual machine is working and not an attack? The windows 7 installation does not share any folders or files with the win 10 host system.
Regards Steve
Thanks for the post back, and you are most welcome. If you'd be so kind, if you have a solution and a post here gave you that solution please mark it as the thread solution. Other users with a similar issue can then see the solution. Stay safe and healthy. Let us know if we can assist in the future.
Cheers
Hi, Thanks for the follow up. I deleted the virtual machine (VM) and then re-installed it, but made sure I disabled SMB 1.0. on the win7 VM and the win10 host system. After doing that there has been no further issue. Thanks for all the help.
Regards Steve
Steve, I'm following up to see how things have progressed. Can we assist further?
Cheers
The VM itself COULD be tainted as it had no antiviral protection. I would indeed reinstall the VM. Norton will not scan a guest OS since it is isolated from the host. The VM obviously had an attempt to obfuscate it and an attempt to cross over into the host OS occurred. Make sure you patch the OS for the guest VM AND, install A/V on it as well. That will consume another license seat from your Norton subscription so keep that in mind.
Another though is that SMB 3 on Windows 10 SHOULD be patched as well since it has its own issues Microsoft has patched. Make sure BOTH the host and guest OS's are fully updated whether you are doing actual work with the guest.
Cheers
Hi, I must admit I didn't know .pdf files were a potential security problem. I'll remember that for the future though.
As for the issue. I don't think the windows 10 PC is the problem as it's the new 2004 version and its updates are all up to date. Speaking to MS on chat theyseem to think it should be ok. However the windows 7 virtual machine doesn't appear to have either of the appropriate updates as far as I can see. I've disabled SMB 1.0 on both the windows 10 PC and the win 7 machine. (It was running on win 10 for an old NAS which I no longer have).I think that might be enough to start with. Then I think I'll uninstall the windows 7 machine and start again afresh with a new install. If I do that and quickly install norton would it be likley to pick up any infections that might cause this same thing again?
Steve
Steve, your screenshot shows Norton stopped the attack. IMA, please use this guide to post screenshots. Most of us here won't open a pdf due to the security risks that can be accompanied with it. Thanks in advance. Your screenshot is below, I pulled from your pdf.
Either your VM ( Windows 7 ) or Windows 10 is missing an update that mitigates the WannaCrypt ransomware exploit. Please follow the advise in this MS article. As posted before, some tips for setting up a secure VM can be found here(link is external). Please let us know how things work out and if you need further assistance.
Cheers
Hi, Thanks for your reply.
I had a feeling it was possible but I'm hoping no actual damage has been done at this point in time. I've attached a screen shot of the Norton report.
Regards Steve
Hello Steve. The short answer unfortunately is YES!! Please post a screenshot of the attack from your Norton history so we can see what you are actually responding to. Using SMB 1 on any Windows client is not recommended due to exploits. SMB 2/3 also have issues as well. Thanks in advance.
Edited: Some tips for setting up a secure VM can be found here.
Cheers