ESET Features

[Hands 4]

I’m not sure where to post this, but I am here to ask about ESET features. Does ESET have MBR protection the way Sophos Home Premium does?

[Marcos 5,074]

Since I don't use the product you've mentioned, I have no clue what kind of protection it provides. However, ESET is unique in protecting UEFI. Although there's at least one more AV vendor to provide this protection, it's available only to business users as a stand-alone tool and not as a part of their products. ESET included the UEFI scanner also in products for home users.

For more information about ESET technology, please read https://www.eset.com/int/about/technology/.

[itman 1,659]

I believe what is being referred to is a driver that prevents malware from writing to MBR such as Cisco provided to the public domain back in 2016: https://github.com/Cisco-Talos/MBRFilter .

So the question is does one of Eset's protections such as Anti-Stealth provided like driver protection? This type of protection can be achieved by creating a HIPS rule to monitor direct disk access to the boot drive for example, but that rule can be problematic.

Edited February 19, 2018 by itman

[Hands 4]

Let me be a bit more specific here: MBR encrypting ransomware like the infamous Petya variant encrypt the Master Boot Record (MBR) and gets the user to pay to unlock it. This method of ransomware encryption evades the usual tactic of just protecting/monitoring folders. Since this is a very important attack to protect against, I’m wondering if ESET has a specific module to protect against this type of attack. The image shows this type of protection module implemented in Sophos Home Premium.

[Marcos 5,074]

If MBR is protected, how can legitimate applications modify it, if needed?

[Hands 4]

Well, maybe the specific module just monitors for malicious behavior directed towards the MBR. I’m just asking this because of this video I encountered where only the HIPS and Ransomware shield is being tested against various types of ransomware. ESET protects against all but Petya ransomware and lets it encrypt the Master Boot Record (MBR). I’m asking this so that the product can be improved and be better equiped to deal with this type of threat. 

 

[Marcos 5,074]

If you or somebody else have experience with other products that protect MBR, I would like to know if they can also prevent false positives and permit legitimate applications to make necessary changes to MBR and have no noticeable impact on performance.

[Hands 4]

Okay, I will be asking this question in the Sophos Community. Hopefully, I will get an answer back.

[itman 1,659]

Actually, the issue with Petya and like variant ransomware that infect the MBR is not the MBR infection itself. Rather, it is the encryption of the MFT, i.e. Master File Table, that is the problem. Procedures have existing for years on how to recover the MBR.

Microsoft has a good article on Petya which I am going to post a few excerpts from and then make some additional comments:
 

Quote

Although the layout of the code and encrypted data in the sectors following the MBR varies between the two versions, the code itself is functionally very similar. The encryption process is the same: when the malicious MBR starts, it loads additional code from sectors after the MBR, which in turn proceeds to encrypt the Master File Table (MFT). After the encryption process is complete, the user is presented with the following ransom message, which is different from the typical ASCII skull and crossbones shown by the original Petya:

Boot recovery options

Petya causes some damage to the operating system’s boot code. In certain cases, recovery to boot the infected machine to a clean state is possible.

Case 1: If machine is equipped with secure boot + UEFI

If an infected machine shows the message below, it means the threat couldn’t hijack the boot process and encrypt MFT. In this case, booting off a clean installation media and performing Startup Recovery can fix the issue, and the machine can be booted.

Case 2: If system is non-UEFI, installed with Kaspersky Antivirus, and in a state where boot completely fails

The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful. Thus, boot process hijack through malicious MBR hasn’t been completed so the MFT (Master File table) contents are intact and not encrypted by the threat. In this case, the partition table information is destroyed by the threat. Given that it stores critical information needed in the booting process, a traditional boot repair process may not work. Rebuilding the partition table may require consultation with an expert.

Case 3: if a ransom message like below is seen, recovery is not possible

The image is shown if the machine reboots and the malicious MBR is executed successfully. In this case, it is likely that the malware successfully encrypted the MFT, a vital structure of the NTFS file system. Unfortunately, recovery is not possible, and the machine is not capable of booting anymore. One can take the hard disk to another clean system, use disk recovery tools to recover any recoverable personal files, and reimage the system.

https://cloudblogs.microsoft.com/microsoftsecure/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/

If your running Win 8.1+ and Secure Boot is in effect and your motherboard has UEFI, the ransomware can be mitigated.

If MBR modification fails, the ransomware will attempt to destroy partition table data. If the MFT remains in an unaltered state, recovery is possible. However, the recover process might be costly and time consuming.

Eset will detect any known samples of this type of ransomware. So one's primary risk would be getting nailed by a like 0-day ransomware that would write to the first 10 sectors of the \\\\.\\PhysicalDrive0 . In any case, preventing MBR modifcation activities alone will not mitigate this type of ransomware.

Edited February 19, 2018 by itman

[Hands 4]

I understand now, but the reason I'm pointing this out is so ESET can be better equipped to deal with 0-day variants of this type of ransomware because signatures can't catch everything. Thank you for the information though, very useful.