周倜TI 0 Posted February 25, 2020 Posted February 25, 2020 ESET's HIPS can't intercept the damage and encryption of MBR by malicious software, causing the system to fail to boot and even the hard disk to be damaged. It does not add the rule of the underlying disk access. That is, the program cannot be prevented from writing data to \ Device \ Harddisk0 \ DR0 \. Hope to improve, the following is a sample of HIPS for technical staff to analyze.
Administrators Marcos 5,409 Posted February 25, 2020 Administrators Posted February 25, 2020 Current malware does not typically modify MBR. Moreover, it's not that easy with current modern operating systems that were made with security in mind. Should MBR malware be on rise, we would definitely consider improvements in that area. Also we kindly ask you to change your display name; only names in latin are allowed.
itman 1,790 Posted February 25, 2020 Posted February 25, 2020 (edited) If MBR write access is an issue to anyone, Cicso has a free product that will prevent this: https://talosintelligence.com/mbrfilter . Note the warnings in the Cisco write up. Per the Github write-up on it: Quote This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. Hit 'Cancel' when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting. Also this "tidbit:" Quote To remove MBRFilter, follow these steps: - Remove the line MBRFilter from the UpperFilters registry key in (only remove MBRFilter, there might be other disk drivers here): HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318} - Reboot https://github.com/Cisco-Talos/MBRFilter Bottom line- better know what you are doing when you remove this driver puppy. BTW - I used this driver for a while with no conflicts with installed system and app software including Eset. I believe it can "hose" a Win 10 Feature Upgrade as I recollect. Edited February 25, 2020 by itman
itman 1,790 Posted February 25, 2020 Posted February 25, 2020 1 hour ago, Marcos said: Also we kindly ask you to change your display name; only names in latin are allowed. Appears that is Zhōu tì TI
itman 1,790 Posted February 26, 2020 Posted February 26, 2020 I also forgot about my comments posted over at wildersecurity.com about MBRFilter: Quote Tip to all - check if you have security software that monitors driver loading. I had to manually add MBRFilter.sys to Eset's HIPS driver allow load list. I have also observed a noticeable slow down in Win 10 boot time with this driver installed. https://www.wilderssecurity.com/threads/mbrfilter-safeguards-computers-against-mbr-malware-and-ransomware.389387/#post-2626355
Recommended Posts