Jump to content

Recommended Posts

ESET's HIPS can't intercept the damage and encryption of MBR by malicious software, causing the system to fail to boot and even the hard disk to be damaged. It does not add the rule of the underlying disk access. That is, the program cannot be prevented from writing data to \ Device \ Harddisk0 \ DR0 \. Hope to improve, the following is a sample of HIPS for technical staff to analyze.

 

Share this post


Link to post
Share on other sites

Current malware does not typically modify MBR. Moreover, it's not that easy with current modern operating systems that were made with security in mind. Should MBR malware be on rise, we would definitely consider improvements in that area.

Also we kindly ask you to change your display name; only names in latin are allowed.

Share this post


Link to post
Share on other sites

If MBR write access is an issue to anyone, Cicso has a free product that will prevent this: https://talosintelligence.com/mbrfilter .

Note the warnings in the Cisco write up.

Per the Github write-up on it:

Quote

This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. Hit 'Cancel' when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting.

Also this "tidbit:"

Quote

To remove MBRFilter, follow these steps:

- Remove the line MBRFilter from the UpperFilters registry key in (only remove MBRFilter, there might be other disk drivers here): HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}

- Reboot

https://github.com/Cisco-Talos/MBRFilter

Bottom line- better know what you are doing when you remove this driver puppy.

BTW - I used this driver for a while with no conflicts with installed system and app software including Eset. I believe it can "hose" a Win 10 Feature Upgrade as I recollect.

 

Edited by itman

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Also we kindly ask you to change your display name; only names in latin are allowed.

Appears that is Zhōu tì TI

Share this post


Link to post
Share on other sites

I also forgot about my comments posted over at wildersecurity.com about MBRFilter:

Quote

Tip to all - check if you have security software that monitors driver loading. I had to manually add MBRFilter.sys to Eset's HIPS driver allow load list.

I have also observed a noticeable slow down in Win 10 boot time with this driver installed.

https://www.wilderssecurity.com/threads/mbrfilter-safeguards-computers-against-mbr-malware-and-ransomware.389387/#post-2626355

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...