Disable Intel AMT

@Mr. Fox

What do you think of this bro? We don't have a vPro chipset right?

http://www.majorgeeks.com/files/details/disable_intel_amt.html

Just ran it on my system, takes a while, then it prompts you to reboot:

 

This is a good tool for those that have that piece of garbage. I agree with getting rid of it. However, my systems do not have AMT. Maybe because I use do not use drivers provided by MSI or Clevo. I generally use StationDrivers and win-raid forums drivers, and INF only as much as possible.

I checked this once before many months ago and had no trace of it. I just ran the tool and here is what the log showed.

Code:

Intel AMT disabler
This logfile can also be found in C:\Temp as UnAMT.log

Executed on: Sat 05/06/2017 @ 17:22:18.32

2017-05-06 17:22:18:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2017-05-06 17:22:18
2017-05-06 17:22:18:(INFO) : ACU Configurator, Category: : ACUConfig 11.1.0.75
2017-05-06 17:22:18:(INFO) : ACU Configurator, Category: -Unconfigure AMT-: TORNADO-F5: Starting to unconfigure AMT...
2017-05-06 17:24:03:(WARN) : ACU Configurator, Category: Exit: ***********Exit with code 2 - Intel(R) AMT is already unconfigured on this system.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


Local Intel AMT listening ports:
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
  TCP    [::]:49664             [::]:0                 LISTENING

We are all done... REBOOT your machine at this point.

Finished at: 17:24:04.04

Made by @bartblaze
Use at your own risk

 

Thanks for your feedback. Good stuff from Mr. Timothy for posting this! Never heard of it before

 

Code:

Intel AMT disabler
This logfile can also be found in C:\Users\patx99\AppData\Local\Temp as UnAMT.log

Executed on: 06-May-17 @ 21:26:29.59

2017-05-06 21:26:30:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2017-05-06 21:26:30
2017-05-06 21:26:30:(INFO) : ACU Configurator, Category: : ACUConfig 11.1.0.75
2017-05-06 21:26:30:(INFO) : ACU Configurator, Category: -Unconfigure AMT-: patrick-x99: Starting to unconfigure AMT...
2017-05-06 21:28:15:(WARN) : ACU Configurator, Category: Exit: ***********Exit with code 2 - Intel(R) AMT is already unconfigured on this system.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


Local Intel AMT listening ports:
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
  TCP    [::]:49664             [::]:0                 LISTENING

We are all done... REBOOT your machine at this point.

Finished at: 21:28:18.66

Made by @bartblaze
Use at your own risk

hmm?

 

I should have tagged you all in my thread

 

I ran "Disable Intel AMT.EXE" the other day and my Avast went berserk and blocked and virus vaulted the file.

So i downloaded one from MS "Intel-SA-00075_1.0.1.6.ZIP" i ran the GUI version and it said my computer was not affected.

John.

 

Intel says that only Business machine may be affected, not consumer models.

http://windowsitpro.com/security/intel-issuing-firmware-update-battle-new-management-vulnerability

John.

 

Same here, I think I've disabled vPro in BIOS anyway. Here's the link, in case anyone is interested.

https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-Guide

 

Two other threads were opened about this, @Papusan was actually first, so I asked that his thread get merged with this:

Intel patches remote execution that dates back to 2008

And, here is my content from the thread I started:

How to check for the Intel Active Management exploit

How to check for the Intel Active Management exploit that lets hackers take over your PC
By Gordon Mah Ung
EXECUTIVE EDITOR, PCWORLD | MAY 9, 2017 3:25 AM PT
http://www.techconnect.com/article/...loit-that-lets-hackers-take-over-your-pc.html

" How to find out whether your PC is safe
While the vast majority of consumer PCs probably don't have the exploit, it wouldn't hurt to take five minutes to check your system.

First, download Intel's tool to check for the vulnerability. You can also click this link to download it from Intel directly. It's listed as supporting Windows 10 and Windows 7, but we had no issues running it on Windows 8.1.

Once you've downloaded it, decompress the zip file to a folder. Open the folder, then open its Windows subfolder. Inside you'll find several files. Launch Intel-SA-00075-GUI.exe."

INTEL-SA-00075 Detection Guide
Version: 1.0 (Latest) Date: 5/3/2017
https://downloadcenter.intel.com/download/26755
https://downloadcenter.intel.com/downloads/eula/26755/INTEL-SA-00075-Detection-Guide?httpDown=https://downloadmirror.intel.com/26755/eng/Intel-SA-00075_1.0.1.6.zip

Remote access bug in Intel AMT worse than we thought, says researcher
A long-standing flaw in Intel's manageability firmware may date back 10 years and is trivial to exploit, so patch your devices now, says security researcher.
https://www.scmagazineuk.com/remote...an-we-thought-says-researcher/article/655543/

"Intel is warning users of its chips that an attacker could gain remote access to PCs or devices that have its manageability firmware.

Intel described it as a critical escalation of privilege vulnerability while other commentators said the simplicity and severity put it more in the category of a backdoor.

According to an Intel Vulnerability Tracking Page set up by SSH Communications Security, Intel has provided OEM partners with a fix, though none of the OEMs has yet released updated firmware.

Specifically, the flaw was found in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology, firmware versions 6 through 11.6. Various reports state that the bug dates back to approximately 10 years ago.

According to Intel, there are two ways an attack can potentially access the vulnerability: "an unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs" or "an unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs." The first method does not apply to Intel Small Business Technology.

“It is stunning that a vulnerability this severe can exist in practically every Intel server. If, as some sources now say, Intel has known of this vulnerability for years, it can only be an intentional backdoor," Tatu Ylonen, founder and SSH fellow, SSH Communications Security, said in comments sent to SC Media.

"It undermines the very fabric of information society. This vulnerability could cause many billions of dollars of damage to enterprises if weaponized against their servers and data. The impact can also be particularly long-term if their internal cybersecurity systems are compromised as a result of this vulnerability.”

Ylonen said the vulnerability could be exploited with just five lines of Python code in a one-line shell command.

In his blog, he wrote: “ If your Active Directory server's AMT port can be accessed, this is like giving every internal user Domain Administrator rights to your domains.”"

Intel advises that affected customers check with their system OEM for updated firmware. For those who cannot yet update their firmware, the company has published a document that details steps for mitigation.

Ylonen's advice is to disable AMT immediately, beginning with the most critical servers in your organisation. He also advises data centres block ports 16992, 16993, 16994, 16995, 623 and 664 in internal firewalls now if they can.