(version of client >= "6.0.0.0") AND ((exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win10" as lowercase)) else false)) AND (exists true whose (if true then ((it is "1909" or it is "1903") of ((((value of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) whose (name of it is "ReleaseId")) as string) | (((value of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) whose (name of it is "CurrentBuild")) as string) | "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseId not found")) else false)) AND (exists true whose (if true then (((value "DisableCompression" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" of native registry) as string | "0") is "0") else false)))
I love that BigFix has the flexibility to allow community driven solutions like this. @tasaif Stuff like this is powerful. Thanks for sharing here.
Did you know that BigFix.me has an interface for sharing these types of Fixlets?
Also, a quick suggestion. When you paste Relevance or Action Script here, the forum converts your quotes into SmartQuotes, which means when people copy your code and paste it, the code breaks. If you use the CODE tool when posting here, it prevents that from happening. Looks like </> in the toolbar.
q: (version of client >= "6.0.0.0") AND ((exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win10" as lowercase)) else false)) AND (exists true whose (if true then ((it is "1909" or it is "1903") of ((((value of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) whose (name of it is "ReleaseId")) as string) | (((value of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) whose (name of it is "CurrentBuild")) as string) | "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseId not found")) else false)) AND (exists true whose (if true then (((value "DisableCompression" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" of native registry) as string | "0") is "0") else false)))
A: True
action uses wow64 redirection false
waithidden powershell -ExecutionPolicy ByPass -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' DisableCompression -Type DWORD -Value 1 -Force"
Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?
No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression.
I’m not sure this is correct – can you share where you read this? As far as I’ve seen any SMBv3 Server is vulnerable – and all Windows computers act as both SMB servers and SMB clients