AnthonyQ 56 Posted December 24, 2022 Share Posted December 24, 2022 I've noticed that ESET LiveGuard seems unable to detect certain type of malware such as MBR locker. For example, this sample (VT: https://www.virustotal.com/gui/file/667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf/detection; Sandbox: https://tria.ge/221224-f6fptshf29/behavioral1) is an MBR locker and its behavior is very typical. However, ESET LiveGuard determined that it was safe to use. The algorithm of LiveGuard should be updated to solve this problem. Link to comment Share on other sites More sharing options...
rotaru 15 Posted December 24, 2022 Share Posted December 24, 2022 As of this morning ( 8:00AM in Canada) , ESET detects it on VT. (11 detections from 71) But so it is detected by Microsoft Defender. Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 24, 2022 Share Posted December 24, 2022 (edited) 8 hours ago, AnthonyQ said: I've noticed that ESET LiveGuard seems unable to detect certain type of malware such as MBR locker. Most likely because the malware didn't run in the LiveGuard cloud sandbox. Also unless things have changed in Eset processing which is doubtful, it does not monitor for write activity to MBR related files. Now that Eset has a sig. for the bootkit, it will detect it upon system startup. But, you will have to remove it manually via bootrec /FixMbr bootrec /FixBoot bootrec /ScanOs bootrec /RebuildBcd commands. Edited December 24, 2022 by itman Link to comment Share on other sites More sharing options...
rotaru 15 Posted December 24, 2022 Share Posted December 24, 2022 1 hour ago, itman said: Most likely because the malware didn't run in the LiveGuard cloud sandbox. Interesting fact though, Defender, in its own simplicity, was able to detect it in par with the paid big players. Link to comment Share on other sites More sharing options...
AnthonyQ 56 Posted December 24, 2022 Author Share Posted December 24, 2022 9 hours ago, itman said: Most likely because the malware didn't run in the LiveGuard cloud sandbox. Also unless things have changed in Eset processing which is doubtful, it does not monitor for write activity to MBR related files. Now that Eset has a sig. for the bootkit, it will detect it upon system startup. But, you will have to remove it manually via bootrec /FixMbr bootrec /FixBoot bootrec /ScanOs bootrec /RebuildBcd commands. Yeah, ESET added a signature detection hours ago after submission. I'm not sure if the sample is able to run successfully on LiveGuard, but it can run successfully on some free cloud sandboxes like Triage. Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 25, 2022 Share Posted December 25, 2022 Ignoring whether the malware ran on LiveGuard cloud, I strongly suspect it would not have been detected there anyway. As I noted, Eset does not monitor or prevent write activity to MBR related files. I have brought this up in multiple past forum postings to no avail. If this malware performed no other malicious activities or like code, LiveGuard wouldn't have detected it. Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 25, 2022 Share Posted December 25, 2022 (edited) You also might want to review my posting here about the infamous Petya attack a few years back; https://forum.eset.com/topic/14714-eset-features/?do=findComment&comment=73148 . Notably, Kaspersky does monitor for MBR modification activities. However, it could not stop Petya from trashing the partition table rendering the device totally useless: Quote Case 2: If system is non-UEFI, installed with Kaspersky Antivirus, and in a state where boot completely fails The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful. Thus, boot process hijack through malicious MBR hasn’t been completed so the MFT (Master File table) contents are intact and not encrypted by the threat. In this case, the partition table information is destroyed by the threat. Given that it stores critical information needed in the booting process, a traditional boot repair process may not work. Rebuilding the partition table may require consultation with an expert. Edited December 25, 2022 by itman Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,399 Posted December 28, 2022 Administrators Solution Share Posted December 28, 2022 We have already improved detection of MBR malware by LiveGuard, currently for business products with lowered detection threshold due to clean files modifying MBR. If everything goes well, we could make further adjustments for home users in a few weeks' time. AnthonyQ and peteyt 2 Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 28, 2022 Share Posted December 28, 2022 (edited) 1 hour ago, Marcos said: If everything goes well, we could make further adjustments for home users in a few weeks' time. I assume this will only apply to Smart Security Premium since it is the only Eset consumer product that uses LiveGuard? Also as noted above, has this already been implemented for Smart Security Premium since it uses LiveGuard; abet with a 90% (high) confidence level? Assumed is the confidence level is being lowered in LiveGuard cloud scan processing in regards to attempted MBR write activities. Edited December 28, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 28, 2022 Share Posted December 28, 2022 I also question LIveGuard detection effectiveness against MBR modification malware employing sleeper evasion tactics. Eset via its HIPS has the capability to monitor for direct disk access used by MBR modification malware. This is where Eset's efforts should be directed to. Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 28, 2022 Share Posted December 28, 2022 (edited) I posted about this previously and will post it again. Cisco after the Petya incident developed a MBR Filter driver, publicly available, that will block write access to track 1, sector 0 where the MBR resides: https://www.talosintelligence.com/mbrfilter . Further described as: Quote MBRFilter This is a simple disk filter based on Microsoft's diskperf and classpnp example drivers. The goal of this filter is to prevent writing to Sector 0 on disks. This is useful to prevent malware that overwrites the MBR like Petya. This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. Hit 'Cancel' when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting. https://github.com/Cisco-Talos/MBRFilter Why Eset never incorporated this driver into its software is really beyond me. Edited December 28, 2022 by itman peteyt 1 Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 28, 2022 Share Posted December 28, 2022 (edited) Let's discuss this above posted statement: Quote The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful. I would say malware going after \\\\.\\PhysicalDrive0 track 1, sector 0 is atypical of MBR modification activity. Tip - what happens if Windows is not installed on PhysicalDrive0? Tip 2 - perhaps by plugging boot drive cable into motherboard drive connector 1 and another non-boot drive into motherboard drive connector 0. Edited December 28, 2022 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted January 2, 2023 Administrators Share Posted January 2, 2023 Basically any sample that modifies MBR is now evaluated by ESET LiveGuard as malware regardless of the detection threshold in business products. Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 2, 2023 Share Posted January 2, 2023 (edited) 2 hours ago, Marcos said: Basically any sample that modifies MBR is now evaluated by ESET LiveGuard as malware regardless of the detection threshold in business products. SententialOne has a blog posting here: https://www.sentinelone.com/blog/mbrlocker-wiper-malware-destructive-pranks-are-no-joke-for-victims/ in regards to a MBR locker running from a web site download. If you run the demo video, the download does not appear to be a .exe from what I can tell. As such, would it even be uploaded to LiveGuard? -EDIT- I played the video again in full screen mode and did observe the download is a .exe. When run, it immediately forces a system shutdown. Not sure if the MBR is modified prior to shutdown (doubtful) or at system startup time. Questions are would it perform above behavior if running in a sandboxed environment? Edited January 2, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts