Constant SMB:CVE-2017-0144 Alerts

[KDibble]

So I realized I had stopped getting alerts because the machine in question was turned off. When the user started it again today I started getting email alerts from the console ....for a while. Then they stopped. However, I'm logged in remotely to the machine and the Avast pop-ups are still appearing there.

Looking on the console, there have been no detections reported for almost an hour and a half.

To make it even more mysterious, the console can no longer send email; the test fails. Nothing about the SMTP settings have been changed. The email server is an internal server on my network; nothing about it has changed either and I can still use it to send ordinary email.

I rebooted the console server; no change.

So what's wrong now?

[KDibble]

Oh, this is beautiful.

I realized that the machine in question wasn't connected to the VPN, so it could not talk to the on-premise console. So I started the VPN on that machine.

I also realized I had five logged-in instances of the console open--apparently, though some of them may have timed out. I closed them all and logged into the console again, where I received two new alerts from the affected machine, a couple minutes apart.

I also received two email alerts of these new detections. I ran the email test in the console after each one, and it STILL failed, both times.

So I have to conclude that the email test is buggy.

[KDibble]

Turning on the machine's firewall has stopped these pop-ups. Since the machine was patched, rendering the port probes ineffective, I contend that these highly annoying alerts are false-positives that Avast could easily prevent by reading the registry or the version number of the relevant .sys file. Because Avast does not do this, I spent several hours of my, and my consultant's, time to address this. I am not happy.