What is the implication of MS17-010 patch and SMBv1 deactivation related to WannaCry? Does it remove the malware or just stop it from propagating?

Solution 1:

First, a little preface. The MS17-010 patch is included in all the update rollups for Windows 7, 8.1 and 10 from March onwards. So if you have the April or May (or newer) rollup updates installed, you don't need (and won't have installed) the specific KB-number linked to the MS17-010 patch.

However, if you've elected to install only security-only updates, then you will specifically need to have the March one installed. Unless you've specifically chosen this path, you should be on the rollups. Safest bet is just to let Windows update everything until it says it's up to date.

This is actually the case for all security patches now, not just this one.

will prevent WannaCry malware from installing/executing

The MS17-010 patch does nothing to stop the ransomware itself. If you download the exe and run it, it'll still do its thing and encrypt your files. For example, the primary infection vector on most networks was through email attachments, IIRC. This is nothing new for ransomware.

However, the worm portion of the program is what facilitates its spread through networks. This attacks the SMBv1 implementation on the destination computer, i.e. the computer the worm is spreading to, not from.. Therefore, the MS17-010 patch must be installed every Windows machine on the network.

Generally, NAT or firewalls at the network edge prevent spread through the internet.

just prevent the malware (once installed on a certain PC and therefore infecting it) from propagating through the intranet

The patch does nothing to help an already-infected computer. It's only useful if installed on the other non-infected computers on the network.

are there any benefits of disabling SMBv1 too?

Not directly for WannaCry/EternalBlue, as the MS17-010 patch fixes this particular hole. However, defense in depth would suggest disabling SMBv1 anyway unless you need it, as it reduces the attack surfaces and minimises damage should there be another currently-unknown SMBv1 bug. Given that Vista and newer support SMBv2, there should be no need to keep SMBv1 enabled unless you need to share files with XP. I hope that's not the case.

before disabling SMBv1, how to be sure that this will not affect network performance/reliability?

The most obvious effect is you will no longer be able to use Windows file sharing with any XP systems.

As per the link grawity posted and the comments there, this might prevent your computer from showing up in or using the "network" list. You can still access them by typing in the \\computername and see them listed using homegroups (or Active Directory in a business environment).

The other exception as called out in that blog post is older network photocopiers/scanners that have "scan to share" functionality might not support a modern SMB protocol.