As we are all aware of recently going Ramsomeware attack worldwide "WannaCry". It is been obserserved that SMB1 protocol version is vulnerable to kept it open so respective team has dissabled the SMB1 on the servers.
Which results in stopping the connection to host for data transfer from host device/server to Arcsight connector.
Currently we are facing frequent issues related to device non-reporting due the SMB1 is dissabled at the server.
Request to suggest alternative option to make the data transfer work and non-reporting issue.
Attaching the snapshot for the same.
Solved! Go to Solution.
I presume you are talking about the Windows Unified Connector? If so, the Unified has the limitation that it can only support SMBv1. As soon as you block SMBv1, you can expect the Connector not to be able to retrieve logs anymore.
The Windows Native however supports both SMBv2 and SMBv3. So I think that upgrading your connectors to Windows Native and only allowing SMBv2 or v3 on your servers should solve your issue. From the Windows Native Configuration Guide:
However, just patching the Windows Environment might be a better idea than totally disabling SMB protocol. I presume there are more services in the network using SMB and not only the ArcSight Connectors.
All the best,