Jump to content

ESET HIPS defects

周倜TI
 Share

Recommended Posts

周倜TI

周倜TI 0

Posted
Posted

ESET's HIPS can't intercept the damage and encryption of MBR by malicious software, causing the system to fail to boot and even the hard disk to be damaged. It does not add the rule of the underlying disk access. That is, the program cannot be prevented from writing data to \ Device \ Harddisk0 \ DR0 \. Hope to improve, the following is a sample of HIPS for technical staff to analyze.

 

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

Current malware does not typically modify MBR. Moreover, it's not that easy with current modern operating systems that were made with security in mind. Should MBR malware be on rise, we would definitely consider improvements in that area.

Also we kindly ask you to change your display name; only names in latin are allowed.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

If MBR write access is an issue to anyone, Cicso has a free product that will prevent this: https://talosintelligence.com/mbrfilter .

Note the warnings in the Cisco write up.

Per the Github write-up on it:

Quote

This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. Hit 'Cancel' when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting.

Also this "tidbit:"

Quote

To remove MBRFilter, follow these steps:

- Remove the line MBRFilter from the UpperFilters registry key in (only remove MBRFilter, there might be other disk drivers here): HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}

- Reboot

https://github.com/Cisco-Talos/MBRFilter

Bottom line- better know what you are doing when you remove this driver puppy.

BTW - I used this driver for a while with no conflicts with installed system and app software including Eset. I believe it can "hose" a Win 10 Feature Upgrade as I recollect.

 

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

I also forgot about my comments posted over at wildersecurity.com about MBRFilter:

Quote

Tip to all - check if you have security software that monitors driver loading. I had to manually add MBRFilter.sys to Eset's HIPS driver allow load list.

I have also observed a noticeable slow down in Win 10 boot time with this driver installed.

https://www.wilderssecurity.com/threads/mbrfilter-safeguards-computers-against-mbr-malware-and-ransomware.389387/#post-2626355

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...