Anyone Else Had Trouble Trying to Get Rid of SMB Vulnerabilities?

Hi there,

Wondering if anyone has had the same experience as me when trying to get rid of SMB vulns on client machines. I have done all the necessary steps outlined in the many Microsoft documents that exist nowadays without how to eradicate SMB1. Did it in programs and features and through PowerShell as well, then verified the feature was disabled using the powershell script. Same story for the vulns regarding SMB signing, as I have verified signing is enabled and required on both the LanmanWorkstation and Server paths. Yet, all vulnerabilities still show on all of the assets (after agent check-in AND a scan engine scan).

Not really sure what do now… am I missing something?

Hi there,
did you check on which ports the SMBv1 was detected. We had the same issues, thought we deactivated SMBv1 on all clients. However, as I remember, on RDP SMBv1 was still active.
But I don’t remember what my colleagues from the client admin. team had to do, to solve the issue.

Also having the same issue. Let us know how you fixed it please

I have to ask my colleague from the client engineering team but he is currently on holydays. Will come back to this topic as soon as I have more information.

We’ve had some trouble with “SMBv2 signing not required” finding. We’ve implemented the fixes via Intune, and it did solve some of them, but about 1/2 are still remaining. It’s not clear what the difference has been. I initially suspected a restart was required, but that didn’t prove to be true or entirely true.

Even weirder… Now, the scans are not finding the vulnerability. But, the vuln is still showing on the asset page, even though if you click into the most recent scan data, that vulnerability is not showing anymore. So, I guess I can’t tell if it is gone or not…?

Same for me, the SMB vulnerability is still being found on the machine even though it has been disabled. Did anyone find the solution?

Hi @david_altanian,

Did you have any update to this? Thank you in advance if you can provide any ideas or solutions!

what is the operating system level for the Assets in question, are you hitting it on 139/445 CIFS?

Do you have an Agent installed? Or Network based scan?

If running an Agent do you have a seperate template scan setup that BYPASSes the AGENT FLAG and scans the host anyway?

Anywhere from Win10 22H2- Win11 24H2. Nothing below that though. Yes, 139/445.

Every device has agent and gets network scanned. If an agent is installed, we skip all checks done by the agent and just check for anything the agent isn’t scanning.

ok, try this…

Duplicate your Scan Template that you use.

Call it whatever (AGENT BYPASS)

uncheck the box under vuln checks that skips the agent checks as if it didnt exist and we are partying like its 1999…

try that on a few hosts and see if it still exists

The vulnerabilities do not show up in the scan report.

The vulnerabilities do still show in the asset page under vulnerabilities.

that kinda doesnt make sense, are you using filters in your scan report for like CRIT/SEV/MOD or some filtering in your SQL query export.

If its on the asset Page it should reflect in the reporting unless there is some filtering..

Last option would be to delete that asset record in the console and rescan it with that same template…

Does it shown the network interface in the asset page with that last scan down under the asset page towards the bottom?

I’m going to try deleting it and rescanning it in with that template. This doesn’t make sense to me either.

And no, by Scan report i just meant clicking the results of the scan within the IVM page, not any sort of extra report or anything. The scan shows 10 vulns, none of which have to do with with SMB. When i return back to the asset page, the asset shows 14 vulnerabilities, the exact 10 listed in the scan results, and then 4 additional SMB vulns. No clue how that is possible.

Can you run this report on that Asset or another asset it will show AGENT and NETWORK, Change the Data Range in the QUERY,

it will show AGENT or SITENAME cloumn in the report, it will tell you where its getting picked up

WITH
-- Assets of interest
target_assets AS (
    SELECT asset_id, ip_address, host_name, sites
    FROM dim_asset
),

-- What vulnerabilities existed on a given past date (Jan 1)
past_vulns AS (
    SELECT asset_id, vulnerability_id
    FROM fact_asset_vulnerability_age
    WHERE first_discovered <= DATE '2025-01-01'
      AND most_recently_discovered >= DATE '2025-01-01'
),

-- Current vulnerabilities (still present)
current_vulns AS (
    SELECT asset_id, vulnerability_id
    FROM fact_asset_vulnerability_instance
),

-- Combine all possible combinations and assign status
combined_vulns AS (
    SELECT asset_id, vulnerability_id, 'STILL PRESENT' AS status
    FROM past_vulns
    INTERSECT
    SELECT asset_id, vulnerability_id, 'STILL PRESENT'
    FROM current_vulns

    UNION

    SELECT asset_id, vulnerability_id, 'REMEDIATED' AS status
    FROM past_vulns
    EXCEPT
    SELECT asset_id, vulnerability_id, 'REMEDIATED'
    FROM current_vulns

    UNION

    SELECT asset_id, vulnerability_id, 'NEW' AS status
    FROM current_vulns
    EXCEPT
    SELECT asset_id, vulnerability_id, 'NEW'
    FROM past_vulns
),

-- Attach metadata for reporting
vuln_metadata AS (
    SELECT vulnerability_id, title, severity, cvss_v2_score
    FROM dim_vulnerability
),

-- Optional: parse site name from `sites` text
joined_assets AS (
    SELECT ta.*, ds.name AS site_name
    FROM target_assets ta
    LEFT JOIN dim_site ds ON POSITION(ds.name IN ta.sites) > 0
)

-- Final report output
SELECT
    ja.ip_address,
    ja.host_name,
    ja.site_name,
    vm.title AS vulnerability_title,
    vm.severity,
    vm.cvss_v2_score,
    cv.status
FROM combined_vulns cv
JOIN joined_assets ja USING (asset_id)
JOIN vuln_metadata vm USING (vulnerability_id)
ORDER BY ja.ip_address, vm.severity DESC;

Looks like deleting it and scanning it back in with the other template has fixed it (for now). I’ll update after our weekly scans run next with our other template to see if that changes.

Thank you for the pointers!

1 Like