Blocking WannaCry: Can Antivirus Help?

TL;DR

While a zero-day WannaCry infection is extremely difficult to block completely with antivirus alone, modern antivirus solutions can offer some protection. They rely on heuristics, behavioural analysis and rapid signature updates. However, the best defence is a layered approach including patching, network segmentation, and strong cyber security practices.

Understanding the Challenge

WannaCry exploited a vulnerability in Windows (EternalBlue). A ‘zero-day’ means the vulnerability was unknown to software vendors and no patch existed when attacks began. Antivirus traditionally relies on recognizing known malicious files (‘signatures’). Zero-days, by definition, have no signature initially.

How Antivirus Can Help

1. Heuristics: Most antivirus programs use heuristics to identify suspicious behaviour. WannaCry’s encryption activity and attempts to spread across networks are unusual. Heuristics can flag these actions even without a specific signature.
2. Behavioural Analysis: More advanced antivirus solutions monitor processes for malicious patterns. WannaCry’s process creation, file modification, and network connections would be detected as abnormal.
3. Exploit Mitigation: Some antivirus products include exploit mitigation techniques that can block attempts to use vulnerabilities like EternalBlue, even before a patch is available. This isn’t foolproof but adds another layer of defence.
4. Rapid Signature Updates: Once WannaCry samples were analysed, antivirus companies quickly created signatures to detect the known malicious files. Keeping your antivirus updated is crucial.
5. Cloud-Based Scanning: Cloud scanning allows for faster detection of new threats by sharing information across a wider network.

Steps to Improve Your Protection

1. Keep Antivirus Updated: This is the most important step. Ensure your antivirus definitions are current.
   • Most antivirus software updates automatically, but check settings to confirm.
   • Manually trigger a scan after any update.
2. Enable Real-Time Scanning: Real-time scanning continuously monitors your system for threats.
3. Run Regular Scans: Schedule full system scans regularly, even with real-time protection enabled.
4. Consider Advanced Endpoint Protection (AEP): AEP solutions offer more sophisticated behavioural analysis and exploit mitigation than traditional antivirus.
5. Patch Your Systems: Microsoft released a patch for the EternalBlue vulnerability (MS17-010). Apply this patch immediately if you haven’t already.

   wusa.exe C:WindowsKB4012598

6. Network Segmentation: Isolate critical systems on separate network segments to limit the spread of an infection.
7. Firewall Rules: Block SMB ports (445) if not required. This can prevent WannaCry from spreading laterally across your network.

   netsh advfirewall firewall add rule name="BlockSMB" dir=in action=block protocol=TCP localport=445

8. Backups: Regularly back up your data to an offline location. This is essential for recovery in case of a successful attack.

Limitations

Antivirus isn’t perfect, especially against zero-day attacks. A sophisticated attacker can bypass antivirus protection.

• Polymorphic Malware: WannaCry variants evolved to evade detection.
• Fileless Attacks: Some malware operates entirely in memory, making it harder for traditional antivirus to detect.

Conclusion

Antivirus can provide a valuable layer of defence against WannaCry, but it’s not a silver bullet. A comprehensive cyber security strategy that includes patching, network segmentation, backups and user awareness is essential.