Jump to content

ESET HIPS defects


Recommended Posts

ESET's HIPS can't intercept the damage and encryption of MBR by malicious software, causing the system to fail to boot and even the hard disk to be damaged. It does not add the rule of the underlying disk access. That is, the program cannot be prevented from writing data to \ Device \ Harddisk0 \ DR0 \. Hope to improve, the following is a sample of HIPS for technical staff to analyze.

 

Link to comment
Share on other sites

  • Administrators

Current malware does not typically modify MBR. Moreover, it's not that easy with current modern operating systems that were made with security in mind. Should MBR malware be on rise, we would definitely consider improvements in that area.

Also we kindly ask you to change your display name; only names in latin are allowed.

Link to comment
Share on other sites

If MBR write access is an issue to anyone, Cicso has a free product that will prevent this: https://talosintelligence.com/mbrfilter .

Note the warnings in the Cisco write up.

Per the Github write-up on it:

Quote

This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. Hit 'Cancel' when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting.

Also this "tidbit:"

Quote

To remove MBRFilter, follow these steps:

- Remove the line MBRFilter from the UpperFilters registry key in (only remove MBRFilter, there might be other disk drivers here): HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}

- Reboot

https://github.com/Cisco-Talos/MBRFilter

Bottom line- better know what you are doing when you remove this driver puppy.

BTW - I used this driver for a while with no conflicts with installed system and app software including Eset. I believe it can "hose" a Win 10 Feature Upgrade as I recollect.

 

Edited by itman
Link to comment
Share on other sites

I also forgot about my comments posted over at wildersecurity.com about MBRFilter:

Quote

Tip to all - check if you have security software that monitors driver loading. I had to manually add MBRFilter.sys to Eset's HIPS driver allow load list.

I have also observed a noticeable slow down in Win 10 boot time with this driver installed.

https://www.wilderssecurity.com/threads/mbrfilter-safeguards-computers-against-mbr-malware-and-ransomware.389387/#post-2626355

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...