Thanks to Kaspersky, we now know that 98% of the Windows machines infected by WannaCry/WannaCrypt were running Windows 7. Since, once it gets a foothold, the malware can infect an entire network, most of the attention was focused on LAN based attacks. My previous blog was about using the Windows firewall as a defensive measure.
But any malware can spread in multiple ways so there is always a need for anti-malware software on Windows PCs. The May 12th blog post, Customer Guidance for WannaCrypt attacks, in which Microsoft announced the release of a bug fix for Windows XP, mentioned that
For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt.
Problem is, the term "Windows Defender" has two meanings.
When dealing with Windows 8.1 and 10, it refers to a program that defends against all types of malicious software. When dealing with Windows 7, it refers to software that only protects against spyware. Microsoft offers Windows 7 users companion software, their Security Essentials, for dealing with other types of malware.
So, when Microsoft touts Windows Defender as protecting against WannaCry/WannaCrypt, how does that apply to Windows 7 users?
Not at all.
Sources close to the company tell me that Windows 7 users who want to be protected from WannaCry, need to install Microsoft Security Essentials. Or, of course, a third party anti-virus program.
If you search for Microsoft Security Essentials with your favorite search engine, you may end up at this download page which forces you to chose between an amd64 version and an x86 version without explaining what the terms mean. You are far better off downloading it from this page, which offers multiple languages and clear choices between 32 and 64 bit.
Considering recent events, a full scan with Security Essentials is probably called for. Expect it to take quite a while.
I had no experience with MSE on Windows 7, and the first time I ran a full scan with it, there was a false positive (above).
I am a big fan of the free, portable software provided by Nir Sofer at nirsoft.net. One of his programs, Mailpassview, was detected by Security Essentials as a medium level threat. MSE is not the first anti-malware program to object to software from Mr. Sofer. With other programs, it was a trivial thing to whitelist the Nirsoft software.
Not with Security Essentials. Not only was "Quarantine" the recommended action, it was the only action. Security Essentials wasn't interested in my opinion at all.
Adding insult to injury, when I did quarantine the program, there was an 80508023 error (above). What does that mean? Use some other anti-malware software.
- - - - -
UPDATE May 22, 2017: Just after this article was published, Martin Brinkmann of Ghacks.net published this: NirSoft.net Review (Tech Sites We Love), an overview of the software from Nir Sofer.
Get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput