We tried to apply all work around suggested by Qualys knowledge base:
To Protect your systems:
- Apply Microsoft patches where relevant MS17-010 and KB4012598. ==> DONE
- Use the Windows AppLocker feature to disable the execution of files named perfc.dat and PSExec.exe.
- Disable WMI. Disable SMBv1.
- Block TCP Port 445 at the perimeter.
- Make sure systems are running up to date anti-malware. ==> DONE
- Block ADMIN$ access via GPO.
- Maintain good back-ups so that if an infection occurs, you can restore your data.==> DONE
Cleaning up Infected systems:
- Contact your Anti-Malware vendor to remove the infection.
- Restore data from a known good backup.
We still detect the QID.
My question is what detects the appliance? Is it just a check on Port 445 and the appliance give back a vulnerability based on this?
Is it a check of what is actually installed on the machine?
We installed a false Petya file in our systems, we wanted to be sure that we take no risks by deleting it.