05-16-2017 10:04 AM
Do we have a comprehensive list of Xerox machines and whether SMBv2/V3 is supported as well as at which firmware levels the models will default to SMB v2 when this is not a selectable option?
Primary machines of concern are :
05-16-2017 11:30 AM
I believe no such document exists.
I *know* the 75XX and 930X can and do use SMB2 assuming they are on the latest spar firmwares, unlikely they do with the general releases. The 930X would need to be on the latest Connectkey version, not the non-connectkey.
7545 firmware is here
Can't link to the 930X as I don't know what you are running now
8900 I have no idea, bif it is on an 072 fimrware (Connectkey), it should, latest version is here
7120 firmware is here, I have used it on a default install of Server 2008 with no modifications server side, so SMB2 should be fine, I believe 3 it doesn't do though.
05-16-2017 10:22 PM - edited 05-16-2017 11:29 PM
As others have been posting recently, we also disabled SMBv1 after the WannaCry epidemic and found it broke Workflow Scanning.
We have WorkCentre 7530 machines. I've updated them to the latest SPAR release I can find, which is 061.121.227.03404
With this version, scanning still does not work. I obtained a packet capture with Wireshark and when the copier goes to connect to the Windows 2012 R2 file server, it transmits a list of SMB dialects that tops out at SMB version 1.
Is there any way to confirm that this build supports SMB v2?
Here is the list of dialects being transmitted by our copiers:
05-17-2017 10:19 AM - edited 05-17-2017 11:32 AM
That looks like the scan template uses port 139 and not 445. Switch it to 445 and scan again
PM me the wireshark trace and I can look into it, but you can just type SMB2 in the filter
It does appear that patch from MS is breaking a lot of FujiXerox scan setups. Widespread reports on the whole lineup are coming.
C60 family, 560 family, 75XX and 71XX so far all with the same error since Wanacrypt patch released.
I don't have time to dedicate to the issue to thoroughly test it, but so far it isn't looking great, possibly some with newer firmware will work assuming they are using port 445 and do support SMB2 (I'm all but certain the 75XX does in latest releases)
But I simply don't have the time to build a test bed and hook up a switch to do the traces and inspect them after verifying if they work or don't.
What I state here is just my experiences, not anything official from Xerox....
05-17-2017 10:37 PM
Our file repository was set for port 445. Just to be sure, I created a new repository and switched the template to use it.
I'll PM you a copy of a successful scan (with SMB 1 enabled), a failed scan (with SMB 1 disabled), and a screen capture of the repository configuration.
From your comments about lots of reports coming in, is it safe to say that engineering is going to be writing and releasing a fix at some point? Or should I call support to add one more ticket to get things moving in that direction?
Thank you again!
05-18-2017 12:22 PM
I would call.
I don't actually support the 75XX product, but I am in the room where they are supported, I've heard issues with 2012.
That being said, I did altboot (completely wipe) one, and we built a Server 2012 VM, patched it fully including the MS17.010 patch and scanned without issue from the 75XX with no issue at all. We did not disable SMB1 and we did not do a wireshark trace to verify what it did. So if you disable SMB1 and not just apply the patch that fixes the hole in SMB1, your results could easily be different.
05-18-2017 07:29 PM
Thanks Joe. I will call in, but if you could show this post to the 75xx guys also I'd appreciate it!
Applying the patch does not disable SMB1, so wouldn't break Workflow Scanning. While the patch protects against WannaCry, SMB1 is a very old (30 years) and insecure protocol, and Microsoft recommends disabling it completely. Here's a blog from the SMB owner at Microsoft explaining why:
Disabling SMB1 for testing in a lab environment is easy. Just import this registry setting and then restart the Server service and SMB1 will be off. Delete the key or change it to 1 and restart the service to re-enable.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters] "SMB1"=dword:00000000
From my Wireshark captures, it's clear that the 75xx is only advertising SMB1 support. If the code is there for SMB2, it isn't fully implemented. So when SMB1 is disabled on the server, Workflow Scanning can't talk to the server. Or, in a more strict sense, the server sees the copier only supports SMB1 and refuses to talk to it.
Thanks again! Fingers crossed for a SPAR update soon.
05-19-2017 09:44 AM
I have your traces, and since I'm a bit interested in the issue, and I can weasel my way into it. Send me a PM with your real name, phone number and email address, along with a copy of your config sheet from the printer.
I will have it sparred with you as the contact (Assuming it is a USA based machine) If Canada I might, if neither forget I mentioned it.
05-22-2017 12:49 PM
FYI for the thread, Joe let me know that this issue has been given to the team that decides if it should be fixed with a SPAR.
I will post updates on anything I hear to this thread in case anyone with the same issue is watching it.
Thank you Joe for escalating this!