Jump to content
  • 0

Does drivepool alter smb security?


denywinarto

Question

Asking this cause i was hit by a 2010 shortcut virus... My server is shared for public usage to a number of clients so the source might be from infected thumbdrives.. but i cant understand how can it affects read-only smb shares.. does drivepool alter smb share security or is this a known win server 2012 r2 security hole?

Hopefully its the later,

I have followed a guude to clean it.  But its still kinda worries me if it happens again.. anyone know a fix or patch?

VtGX1J2.jpg

Link to comment
Share on other sites

6 answers to this question

Recommended Posts

  • 0

No. 

The balancing code basically uses the same API that drag and drop operations uses (the difference being that we copy to a ".COPYTEMP" file, rename the file when the operation is complete, and "clean up" files if/when needed). 

It's not doing anything weird, abnormal, or the like .

 

Howeve, from the screenshot, it looks like it's identifying "desktop.ini" files.  There are generally harmless, so this is more likely a false positive. 

Link to comment
Share on other sites

  • 0

Now i know whats probably causing it.

See like i said I'm sharing it with local diskless clients, and some of those clients have personal data that is saved even after reboot.

Now this personal data is probably infected with virus.

So i test one of the infected folders from client side.

And surprisingly, the client can create a text document inside that folder!

But deleting the text file requires admin account and was halted immediately, 

and strangely after a while text file is gone..

I double check the security and it's definitely shared with a standard account, and it doesnt have write permission.

I tested the other folder that's not infected and it refuses to write anything prompting "destination folder access denied"

So the writable folder is causing security hole...

is this related with drivepool somehow?

 

Edit, attached is the permission difference between writable folder (veep) and read only folder (vinyl)

It seems like there's extra users for the writable folders..

I could probably remove those users, but problem is some new folders also have this writable behavior..

write.jpg

 

Edit : i changed the whole pool permission inheritance and seems like the shortcut virus arent back.. yet 

Link to comment
Share on other sites

  • 0

Well, copying from one drive to another (or network location) can cause the permissions to get reset.  So, from C: to Z: would cause that.

As for the virus thing, a second/closer look, it looks like ESET is losing it's mind over the 'desktop.ini' files.  I would check one, to see what it looks like (eg, calling an EXE or some such).  Especially, as it's mentioned "AutoRun" worms. 

Link to comment
Share on other sites

  • 0
3 hours ago, Christopher (Drashna) said:

Well, copying from one drive to another (or network location) can cause the permissions to get reset.  So, from C: to Z: would cause that.

As for the virus thing, a second/closer look, it looks like ESET is losing it's mind over the 'desktop.ini' files.  I would check one, to see what it looks like (eg, calling an EXE or some such).  Especially, as it's mentioned "AutoRun" worms. 

desktop.ini is indeed a virus, other AV is reporting the same..

Earlier this morning some of the folders changed its permission again.. and the shortcut virus is back..

e.g : correct permission should be : Everyone, admin and client

the infected  folders have extra permission from system, authenticated users , and users

not sure if its cause i forgot to fix the permssion on those folders, or something else chenged them, but i'm pretty sure i made the parent folder inherited the correct permissions

It's not as much folders as the last time though.. hopefully it's just me forgetting to change the permssion,  will monitor again..

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...