Re: [NTSysADM] Using GPP to fight Petya

False Alarm- GPP kicked in a lot quicker than I thought-  From: listsad...@lists.myitforum.com on behalf of J- P Sent: Wednesday, June 28, 2017 1:43 PM To: ntsysadm@lists.myitforum.com Subject: Re:

RE: [NTSysADM] Using GPP to fight Petya

Didn’t know that either. Educated! From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone Sent: 28 June 2017 16:26 To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] Using GPP to fight Petya On Wed, Jun 28, 2017 at 10:59 AM, Melvin Backus

Re: [NTSysADM] Using GPP to fight Petya

https://blog.kaspersky.com/new-ransomware-epidemics/17314/ [https://s3.amazonaws.com/kdm-prod/wp-content/uploads/sites/92/2017/06/27133416/wannamore-ransomware-featured.jpg] New Petya / NotPetya / ExPetr ransomware

[NTSysADM] Re: Petya

Definitely something hinky going on with this list I sent this email last night Jean-Paul Natola From: listsad...@lists.myitforum.com on behalf of J- P Sent: Tuesday, June 27, 2017 7:21:35 PM To: NT

Re: [NTSysADM] Using GPP to fight Petya

I found 2 pc's with perfc.dat already there  hopefully Kaspersky will do its job From: listsad...@lists.myitforum.com on behalf of Michael Leone Sent: Wednesday, June 28, 2017 12:15 PM To:

RE: [NTSysADM] Using GPP to fight Petya

I’ll give it a try. Thanks -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Wednesday, June 28, 2017 2:14 PM To:

[NTSysADM] Petya

https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe 'Petya' ransomware attack strikes companies across Europe and US www.theguardian.com

Re: [NTSysADM] Using GPP to fight Petya

On Wed, Jun 28, 2017 at 2:00 PM, Melvin Backus wrote: > > > If you’re running 2012 servers I’d recommend you go to at least 8.1 for > your workstation, so you can run the RSAT tools. Even if it means you > have to virtualize one just for a management workstation. > I

RE: [NTSysADM] Using GPP to fight Petya

Redircmp will send them to an OU and it all sticks. I did it many years ago..so I am bit fuzzy on it but mine go to a specific ou, then we manually move them down to sub OU’s for the edge cases.

RE: [NTSysADM] Using GPP to fight Petya

Change the flag while it’s in replace mode. I’m not sure you even need to do it though. You can delete r/o files from the command line, (del /f) I just don’t know what gp would do with it. I suspect it would take care of it but I’ve never needed to try. Actually, I’m thinking just removing /

Re: [NTSysADM] Using GPP to fight Petya

Seems overly complicated. If you have a Windows 2012/Windows 8 box (or newer) at your disposal, use the invoke-gpupdate cmdlet. $Devices = Get-ADComputer -Filter ForEach ($Devices in $Devices) { Invoke-GPUpdate -Computer $Device -Target Computer -RandomDelayInMinutes -Force } If

RE: [NTSysADM] Using GPP to fight Petya

Obviously it won’t work if it’s the DDP, but I question the choice. Make it a standalone policy so it’s easily identified and removed if required. Even if machines are in dozens of OUs, an update to each one takes a few minutes total. That’s one thing I’ve always hated about the way AD works.

Re: [NTSysADM] Using GPP to fight Petya

On Wed, Jun 28, 2017 at 11:16 AM, J- P wrote: > kaspersky detected perfc.dat as a malicious file > > anyone else get that? > Yep, seeing the same warnings. And all on the perfc.dat file that I created using GPP, to stop "Petya". LOL Guess I didn't need to create that

Re: [NTSysADM] Using GPP to fight Petya

kaspersky detected perfc.dat as a malicious file anyone else get that? From: listsad...@lists.myitforum.com on behalf of Melvin Backus Sent: Wednesday, June 28, 2017 10:59 AM To:

Re: [NTSysADM] Using GPP to fight Petya

On Wed, Jun 28, 2017 at 10:59 AM, Melvin Backus wrote: > From GPMC select the OU, right click, Group Polcy Update. > I don't see this option in my GPMC (Win 7 Pro). I see it on GPMC from a Win2012 R2 server ... Part of the problem is, I set those changes to the Default

Re: [NTSysADM] Using GPP to fight Petya

Gpupdate /force on a D.C.? Not positive that forces all Just a thought I had Sent from my iPhone On Jun 28, 2017, at 10:17 AM, Michael Leone > wrote: Notice: This email is from an outside source. Please do not open any attachments, click on

RE: [NTSysADM] Using GPP to fight Petya

From GPMC select the OU, right click, Group Polcy Update. It isn’t immediate on all systems but it will happen within the next 10-15 minutes as it staggers them to avoid swamping the server. -- There are 10 kinds of people in the world... those who understand binary and those who

RE: [NTSysADM] Using GPP to fight Petya

Why not deal with the root cause in disabling smbv1 where possible across your windows assets? Enhance your ids and ips at edge network and internal network to detect attack signatures of malware spread and update your av sigs. Can use a nap script to look for smbv1 enabled hosts via lua scripts

RE: [NTSysADM] Using GPP to fight Petya

Pipe the server names from a text file to a command like psexec that runs gpupdate? From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone Sent: 28 June 2017 15:11 To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] Using GPP to fight Petya

RE: [NTSysADM] Using GPP to fight Petya

Well first they should do it around 90 minutes max on their own. You could push a psexec gpupdate against a text file list of the boxes. Or via powershell: https://blogs.technet.microsoft.com/heyscriptingguy/2012/11/12/force-a-domain-wide-update-of-group-policy-with-powershell/ And I will

Re: [NTSysADM] Using GPP to fight Petya

OK, so I've made that change in the GPO, and it creates the file appropriately. So how do I force all my servers to refresh their GPOs, without going to each and doing a "gpupdate /force"? When they automatically check in the next time, this policy should be applied. But how to make that happen

Re: [NTSysADM] Using GPP to fight Petya

On Wed, Jun 28, 2017 at 9:50 AM, Joseph L. Casale wrote: > Without digging into docs, I imagine your use of /force was the problem as > you state the policy was successfully applied at boot. Read up on /force > and /sync and the ramifications, good info… > No, /force

RE: [NTSysADM] Using GPP to fight Petya

Have you got a filter applied? You may need to add Domain Computers to it From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone Sent: 28 June 2017 14:13 To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] Using GPP to fight Petya So I'm

RE: [NTSysADM] Using GPP to fight Petya

I did both, can’t hurt. But just perfc will work based on the way the ransomware is creating the file. “BTW, lot of other sites recommend creating a file "perfc" (no extension), and this page recommends "perfc.dat". Perhaps I should create both, just to be sure ..” From:

RE: [NTSysADM] Using GPP to fight Petya

Without digging into docs, I imagine your use of /force was the problem as you state the policy was successfully applied at boot. Read up on /force and /sync and the ramifications, good info… From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael

Re: [NTSysADM] Using GPP to fight Petya

On Wed, Jun 28, 2017 at 9:23 AM, Kennedy, Jim wrote: > I will ground my son who wrote that. It should be ‘replace’. That will > create it or replace it. > OK, I will change that option ... > Now, why you are not seeing it in gpresult I dunno. You ran the

RE: [NTSysADM] Using GPP to fight Petya

I will ground my son who wrote that. It should be ‘replace’. That will create it or replace it. Now, why you are not seeing it in gpresult I dunno. You ran the gpresult as a local admin? From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone

[NTSysADM] Using GPP to fight Petya

So I'm confused. Looking at this page: https://www.binarydefense.com/petya-ransomware-without-fluff/ Shows using GPP to create a file "c:\windows\perfc.dat". Apparently, if this file exists, the malware stops (yes, I know that there will be a variant Real Soon Now that avoids this). So I made