MBRFilter Safeguards Computers Against MBR Malware and Ransomware

Discussion in 'other anti-malware software' started by hawki, Oct 20, 2016.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Also can someone produce a link to a working 64 bit AccessMBR please.

    I get a weird CRC warning trying to D/L just it from the german translated page. Thanks
     
  2. guest

    guest Guest

    Can it be downloaded somewhere? I can only find the source-code via github.
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Code:
    https://github.com/yyounan/MBRFilter/files/536997/32.zip
    Code:
    https://github.com/yyounan/MBRFilter/files/536998/64.zip
     
  4. guest

    guest Guest

    I meant AccessMBR, because of:
    ;)
    Edit:
    Or does @EASTER means MBRFilter? :cautious:
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Code:
    https://www.heise.de/download/product/accessmbr-92179/download
    Code:
    http://breakoutbox.de/software/accessmbr/accessmbr.html
     
    Last edited: Oct 22, 2016
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Nope, for whatever strange reason kept getting CRC doesn't match header error so finally pulled it from here. Thanks for trying.

    http://breakoutbox.de/software/accessmbr/accessmbr.html
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Odd. Not on my end, I'm able to download same zipped file without issues.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yeah was obviously something inhibiting it to open after download. No matter, accessMBR came thru via the other site intact without error and works as expected.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, if you block "low-level disk access" then the MBR can't be modified, but there are certain HIPS (integrated with AV or not) that specifically block modification of the MBR. But I have never actually tested malware that targets the MBR against HIPS, so a fail-safe can never hurt.

    Not a good sign if they keep it vague. Hopefully they can release a list of what is being monitored.
     
  10. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    It would be nice, but international support is clearly not a priority to them at this point in time. At least Tencent publish an English language version, whereas just about all other Chinese antiviruses are only available in Chinese.
     
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yes I confirm this as well.
     
  12. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    Is MBRFilter compatible with GRUB?
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    -- EFI GPT protective --
    -- EFI GPT protective --

    So apparently no need for MBRFilter on this system.

    I do think my Windows 10 is sitting on MBR so i'll have to check that later.
     
  14. guest

    guest Guest

    Even if your system-disk is based on GPT, MBR Filter can protect all other disks connected to your PC.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Good point.

    Mr Crypto is notorious for such a long reach
     
  16. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    Finally installed it, and no problem with GRUB2 from Linux.
     
  17. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Correct me if I'm wrong, but if it's a driver then it needs to load with Windows. Since other drivers can likely load before MBRFilter, isn't it possible to compromise the MBR before this driver loads?
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @amarildojr See this link: https://msdn.microsoft.com/en-us/wi...s/ifs/what-determines-when-a-driver-is-loaded

    MBRFilter is StartType = 0 Therefore, from the link:
    Anti-executable / Application Whitelisting kernel-mode drivers (using Bouncer for example) have StartType=1 which is started during kernel initialization. MemProtect for example which needs to utilize some additional Windows kernel features for memory related protections, has StartType=2. I would assume that most AV type of I/O file system filter drivers would likely be StartType=1.

    Therefore with MBRFilter being a kernel-mode driver with StartType=0 being a boot start driver, it would require that another kernel driver with StartType=0 that is low enough within the kernel to mess with it and interfere in any kind of way. It would not be very likely to have a malicious kernel driver start before MBRFilter. But as we all know, if a user gets compromised with a kernel level exploit and gains admin or system elevation or especially when it comes to physical access, it's game over. But from a remote perspective, no worries.
     
  19. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Questions

    1) If I have HMPA then MBRFilter is not needed, right?
    2) If my laptop only boots up using UEFI (without traditional BIOS) then MBRFiletr is not needed since there's no MBR in the first place, right?

    Thanks
     
  20. guest

    guest Guest

    If you have HMP.A then MBRFilter is not needed.
    If you don't have HMP.A installed, you can install MBRFilter to protect all connected devices (not only the system disk):
     
  21. guest

    guest Guest

    Does MBR filter produces any type of incompatibilities or is an install and forget app?
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Only incompatibility is if you want to format a drive. Cisco has instructions on bypass or just uninstall the driver(a bit involved procedure) and then format.

    Since its a kernel mode driver that loads at boot time, install it and forget about it thereafter.
     
  23. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    "Only incompatibility is if you want to format a drive. Cisco has instructions on bypass or just uninstall the driver(a bit involved procedure) and then format."

    do you mean a drive other then your OS drive? using windows and not DOS
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It would block MBR mods to any drive known to Windows only. It's a Windows driver.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.