Audit and Remediation: How does the EternalBlue Hardening query determine if SMB is checked via registry or feature?
Carbon Black Cloud: All Versions
Audit and Remediation
How does Live Query determine which method, registry or feature setting, to check if SMB1 is enabled?
This is determined by the OS value.
Windows 8 and above will check the feature setting
Windows 7 and below will check the registry value
This is present in the bottom of the query
(os.major == 10)
OR (os.major == 6 AND os.minor == 3)
((os.major == 6))
AND (os.minor == 3)
(os.major == 6)
AND (os.minor == 0 OR os.minor == 1)
FROM os_version AS os
WHERE os.platform = 'windows'