Wondering if anyone has had the same experience as me when trying to get rid of SMB vulns on client machines. I have done all the necessary steps outlined in the many Microsoft documents that exist nowadays without how to eradicate SMB1. Did it in programs and features and through PowerShell as well, then verified the feature was disabled using the powershell script. Same story for the vulns regarding SMB signing, as I have verified signing is enabled and required on both the LanmanWorkstation and Server paths. Yet, all vulnerabilities still show on all of the assets (after agent check-in AND a scan engine scan).
Not really sure what do now… am I missing something?
Hi there,
did you check on which ports the SMBv1 was detected. We had the same issues, thought we deactivated SMBv1 on all clients. However, as I remember, on RDP SMBv1 was still active.
But I don’t remember what my colleagues from the client admin. team had to do, to solve the issue.
I have to ask my colleague from the client engineering team but he is currently on holydays. Will come back to this topic as soon as I have more information.
We’ve had some trouble with “SMBv2 signing not required” finding. We’ve implemented the fixes via Intune, and it did solve some of them, but about 1/2 are still remaining. It’s not clear what the difference has been. I initially suspected a restart was required, but that didn’t prove to be true or entirely true.
Even weirder… Now, the scans are not finding the vulnerability. But, the vuln is still showing on the asset page, even though if you click into the most recent scan data, that vulnerability is not showing anymore. So, I guess I can’t tell if it is gone or not…?
Anywhere from Win10 22H2- Win11 24H2. Nothing below that though. Yes, 139/445.
Every device has agent and gets network scanned. If an agent is installed, we skip all checks done by the agent and just check for anything the agent isn’t scanning.
I’m going to try deleting it and rescanning it in with that template. This doesn’t make sense to me either.
And no, by Scan report i just meant clicking the results of the scan within the IVM page, not any sort of extra report or anything. The scan shows 10 vulns, none of which have to do with with SMB. When i return back to the asset page, the asset shows 14 vulnerabilities, the exact 10 listed in the scan results, and then 4 additional SMB vulns. No clue how that is possible.
Can you run this report on that Asset or another asset it will show AGENT and NETWORK, Change the Data Range in the QUERY,
it will show AGENT or SITENAME cloumn in the report, it will tell you where its getting picked up
WITH
-- Assets of interest
target_assets AS (
SELECT asset_id, ip_address, host_name, sites
FROM dim_asset
),
-- What vulnerabilities existed on a given past date (Jan 1)
past_vulns AS (
SELECT asset_id, vulnerability_id
FROM fact_asset_vulnerability_age
WHERE first_discovered <= DATE '2025-01-01'
AND most_recently_discovered >= DATE '2025-01-01'
),
-- Current vulnerabilities (still present)
current_vulns AS (
SELECT asset_id, vulnerability_id
FROM fact_asset_vulnerability_instance
),
-- Combine all possible combinations and assign status
combined_vulns AS (
SELECT asset_id, vulnerability_id, 'STILL PRESENT' AS status
FROM past_vulns
INTERSECT
SELECT asset_id, vulnerability_id, 'STILL PRESENT'
FROM current_vulns
UNION
SELECT asset_id, vulnerability_id, 'REMEDIATED' AS status
FROM past_vulns
EXCEPT
SELECT asset_id, vulnerability_id, 'REMEDIATED'
FROM current_vulns
UNION
SELECT asset_id, vulnerability_id, 'NEW' AS status
FROM current_vulns
EXCEPT
SELECT asset_id, vulnerability_id, 'NEW'
FROM past_vulns
),
-- Attach metadata for reporting
vuln_metadata AS (
SELECT vulnerability_id, title, severity, cvss_v2_score
FROM dim_vulnerability
),
-- Optional: parse site name from `sites` text
joined_assets AS (
SELECT ta.*, ds.name AS site_name
FROM target_assets ta
LEFT JOIN dim_site ds ON POSITION(ds.name IN ta.sites) > 0
)
-- Final report output
SELECT
ja.ip_address,
ja.host_name,
ja.site_name,
vm.title AS vulnerability_title,
vm.severity,
vm.cvss_v2_score,
cv.status
FROM combined_vulns cv
JOIN joined_assets ja USING (asset_id)
JOIN vuln_metadata vm USING (vulnerability_id)
ORDER BY ja.ip_address, vm.severity DESC;
Looks like deleting it and scanning it back in with the other template has fixed it (for now). I’ll update after our weekly scans run next with our other template to see if that changes.