The work around as described in KB94659:
In response to the identified vulnerability, McAfee has generated an Endpoint Security (ENS) Expert Rule that can prevent exploitation and allow monitoring of this vulnerability. This rule detects when files are written from the spool service into the directory that known exploits are using to drop files on victim systems.
ENS Expert Rule:
NOTE: Before you implement the recommendation below, you must test the rule thoroughly. Thorough testing ensures rule integrity. It also makes sure that no legitimate application, in-house developed, or otherwise, is deemed malicious and prevented from functioning in your production environment. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for the target behavior without blocking. After you determine the rule does not block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems.
Rule {
Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"
}
}
}
To disable PrintSpooler through Group Policy Objects (Recommended for servers, except dedicated print servers):
NOTE: Disabling the print spooler service disables the ability to print both locally and remotely.
- Modify your Global Policy Object (GPO) or create a GPO to manage this setting.
- When you edit the GPO, go to Computer Configuration, Policies, Windows Settings, System Services, Print Spooler.
- Right-click the Print Spooler System Service option, and select Properties.
- Set the System Service to Disabled.
To block only the remote attack vector, administrators can disable inbound remote printing through Group Policy Objects (Recommended for workstations):
- Modify your Global Policy Object (GPO) or create a GPO to manage this setting.
- When you edit the GPO, go to Computer Configuration, Administrative Templates, Printers.
- Right-click the Allow Print Spooler to accept client connections policy option, and select Edit.
- Set the policy to Disabled.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Thanks and regards,
Adithyan T
