What to do when file information is blank and using SMBv3
Symptom
When Looking at Logs File and Information is Not Available
Logs, such as Wildfire, Threat and Unified should all show some sort of file information. Usually a file name, file digest and/or URL are available. In some cases, if the files are transferred using SMBv3, some of the file information may not be recorded. This is usually because SMBv3 uses multichannel file transfers.
What is SMBv3?
SMB 3.0 (Server Message Block 3.0) is a protocol that provides a way for a computer's client applications to read and write to files and to request services from server programs in a computer network. SMB 3.0 was originally introduced with Windows Server 2012 as SMB 2.2. It was updated to 3.0 to reflect the additions in the new release compared to the previous version 2.1.
SMB 3.0 (2012)
Debuted in Windows 8 and Windows Server 2012. This version added several significant upgrades to improve availability, performance, backup, security, and management. There were several noteworthy new features, including SMB Multichannel, SMB Direct, transparent failover of client access, Remote VSS support, SMB Encryption, and more.
SMB 3.02 (2014)
Introduced in Windows 8.1 and Windows Server 2012 R2. This version included performance updates and the ability to completely disable CIFS/SMB 1.0 support, including removal of the related binaries.
SMB 3.1.1 (2015)
Released with Windows 10 and Windows Server 2016. This version added support for advanced encryption, pre-authentication integrity to prevent man-in-the-middle attacks and cluster dialect fencing among other updates.
What is SMB Multichannel and Why Should I Care?
SMB Multichannel is a protocol improvement to Windows file sharing that is found on Windows Server 2012R2 and Windows 8.1 and up. However, recent improvements to Windows 10 have made it easier than ever to get SMB Multichannel working. Prior to the August 2016 Windows 10 update, SMB Multichannel was sensitive to things like the machine name being present, with all associated IP addresses, in DNS. Windows DNS and DHCP will do this. Good routers have this capability and pfSense can do this as well.
It also applies if you have 10 gigabit adapters in both client and server. These network adapters are so fast that data typically outpaces what a single CPU core can keep up with. In that case, multichannel still provides a benefit because it separates the data stream so that multiple CPU cores can help handle the workload of moving data around.
SMB Multichannel is meant to be as easy as just plugging in another network card. You don't have to do any software config (although that's the promise, it's not entirely true), it does not require a special ethernet switch or any configuration on the switch at all, and it also simultaneously lowers CPU usage.
Environment
What Environment Can SMBv3 be Found?
SMBv3 is usually in a windows environment, but it can also be found in some Linux and Unix environments.
Some Supported Applications Using SMBv3 Multichannel
CIFSD
CIFSD is an open-source, in-kernel CIFS/SMB server created by Namjae Jeon for Linux kernel. Initially, the goal is to provide improved file I/O performance, but the bigger goal is to have some new features that are much easier to develop and maintain inside the kernel and expose the layers fully. Directions can be attributed to sections where Samba is moving to few modules inside the kernel to have features like Remote Direct Memory Access (RDMA) to work with actual performance gain.
Multi-Path File System
The Multi-Protocol File System (MPFS) is a multi-path network file system, which is technology developed and sold by EMC Corporation. MPFS is intended to allow hundreds to thousands of client computer nodes access shared computer data with higher performance than conventional NAS file sharing protocols such as NFS. MPFS consists of an agent on the client system and a compatible NAS storage system. The client agent splits the data and meta data for the file being requested. This is done using an FMP (File Mapping Protocol). Requests for the data and its location are sent over conventional NFS to the NAS system. Block data is sent and retrieved directly from the storage device via iSCSI or Fibre Channel. Retrieving data directly from the storage device increases performance by eliminating the file system and protocol overhead associated with NFS or SMB.
Cause
How This Affects Threat
Firewall SMB support now includes SMBv3 (3.0, 3.0.2, and 3.1.1) and has additional threat detection and file identification capabilities, performance, and reliability across all versions of SMB. These improvements provide an additional layer of security for networks, such as data center deployments, network segments, and internal networks by allowing files transmitted using SMB to be forwarded to WildFire for analysis. Because of the way that SMBv3 multichannel works in splitting up files, customers should disable the use of multichannel file transfer for maximum protection and inspection of files. As a result, Palo Alto Networks recommends disabling SMB multichannel through the Windows PowerShell.
For more information on this task, please refer to following documents:
The use of SMBv3 Multichannel can cause false positive detections since the firewall does not see the multiple streams as one file, but it sees multiple files being transferred. This can cause the signatures to fire on random files and even the reading of directories. These FPs are extremely difficult to replicate in a lab. Many customers are not using a strictly Windows environment. There are many non-Windows applications and appliances that use SMBV3 and can still generate issues.
Resolution
What To Do
You can use the following steps to verify you are using SMB Multichannel.
Step 1: Verify Network Adapter Configuration
Use the following PowerShell cmdlets to verify you have multiple NICs and/or to verify the RSS and RDMA capabilities of the NICs. Run on both the SMB server and the SMB client.
- Get-NetAdapter
- Get-NetAdapterRSS
- Get-NetAdapterRDMA
- Get-NetAdapterHardwareInfo
Step 2: Verify SMB Configuration
Use the following PowerShell cmdlets to make sure SMB Multichannel is enabled and to confirm the NICs are being properly recognized by SMB and that their RSS and RDMA capabilities are being properly identified.
On the SMB client, run the following PowerShell cmdlets:
- Get-SmbClientConfiguration | Select EnableMultichannel
- Get-SmbClientNetworkInterface
- Get-SmbServerConfiguration | Select EnableMultichannel
- Get-SmbServerNetworkInterface
Step 3: Verify the SMB Connection
On the SMB client, start a long-running file copy to create a lasting session with the SMB server. While the copy is ongoing, open a PowerShell window and run the following cmdlets to verify the connection is using the right version of SMB and that SMB Multichannel is working:
- Get-SmbConnection
- Get-SmbMultichannelConnection
- Get-SmbMultichannelConnection -IncludeNotSelected
Installing
SMB Multichannel is enabled by default. There is no need to install components, roles, role services, or features. The SMB client will automatically detect and use multiple network connections if a proper configuration is identified.
Disabling
SMB Multichannel is enabled by default. To disable SMB Multichannel you can use the following PowerShell cmdlets.
On the SMB server side, use the following cmdlets:
- Set-SmbServerConfiguration -EnableMultiChannel $false
- Set-SmbClientConfiguration -EnableMultiChannel $false
Re-Enabling
You can re-enable SMB Multichannel after you disabled it by using the cmdlets below.
On the SMB server side, use the following cmdlets:
- Set-SmbServerConfiguration -EnableMultiChannel $true
- Set-SmbClientConfiguration -EnableMultiChannel $true
Verify the SMB traffic (Optional)
If you have the packet capture containing the SMB traffic, you can use Wireshark filter "smb2.capabilities.multi_channel" to know whether or not SMB Multichannel is supported on SMB client/server. "smb2.capabilities.multi_channel" checks the "Capabilities" of "Negotiate Protocol Request" or "Negotiate Protocol Response" or "Session Setup Request". If there is "MULTI CHANNEL: This host supports MULTI CHANNEL" information in "Capabilities" of "Negotiate Protocol Request" or "Negotiate Protocol Response" or "Session Setup Request", it shows SMB Multichannel is supported on SMB client or server. The below screenshot shows SMB client supports SMB Multichannel.
Additional Information
List of SMB Clients and Servers
For a complete list of products that support SMB, including SMB clients, SMB servers, and a list of protocols that extend SMB, please visit the Wikipedia page at https://en.wikipedia.org/wiki/List_of_products_that_support_SMB.