Jump to content

Recommended Posts

Posted

ESET's HIPS can't intercept the damage and encryption of MBR by malicious software, causing the system to fail to boot and even the hard disk to be damaged. It does not add the rule of the underlying disk access. That is, the program cannot be prevented from writing data to \ Device \ Harddisk0 \ DR0 \. Hope to improve, the following is a sample of HIPS for technical staff to analyze.

 

  • Administrators
Posted

Current malware does not typically modify MBR. Moreover, it's not that easy with current modern operating systems that were made with security in mind. Should MBR malware be on rise, we would definitely consider improvements in that area.

Also we kindly ask you to change your display name; only names in latin are allowed.

Posted (edited)

If MBR write access is an issue to anyone, Cicso has a free product that will prevent this: https://talosintelligence.com/mbrfilter .

Note the warnings in the Cisco write up.

Per the Github write-up on it:

Quote

This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. Hit 'Cancel' when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting.

Also this "tidbit:"

Quote

To remove MBRFilter, follow these steps:

- Remove the line MBRFilter from the UpperFilters registry key in (only remove MBRFilter, there might be other disk drivers here): HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}

- Reboot

https://github.com/Cisco-Talos/MBRFilter

Bottom line- better know what you are doing when you remove this driver puppy.

BTW - I used this driver for a while with no conflicts with installed system and app software including Eset. I believe it can "hose" a Win 10 Feature Upgrade as I recollect.

 

Edited by itman
Posted
1 hour ago, Marcos said:

Also we kindly ask you to change your display name; only names in latin are allowed.

Appears that is Zhōu tì TI

Posted

I also forgot about my comments posted over at wildersecurity.com about MBRFilter:

Quote

Tip to all - check if you have security software that monitors driver loading. I had to manually add MBRFilter.sys to Eset's HIPS driver allow load list.

I have also observed a noticeable slow down in Win 10 boot time with this driver installed.

https://www.wilderssecurity.com/threads/mbrfilter-safeguards-computers-against-mbr-malware-and-ransomware.389387/#post-2626355

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...