nProtect MBR Guard let me down - Alternatives?

Discussion in 'other anti-malware software' started by CGuard, May 18, 2013.

Thread Status:
Not open for further replies.
  1. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Every once in a while, i scan my system with anti-rootkit tools. Just yesterday, GMER's scan resulted in a "\Device\Harddisk0\DR0---Unknown MBR code" info entry. I knew that this MBR modification had been caused by Keriver's Recovery Console, but i decided to somewhat test nProtect's MBR protection (as i have done with other legitimate MBR-accessing programs) by selecting "Restore" from GMER's right-click menu. To my great surprise, a standard MBR was restored without any alert from nProtect's utility...

    I was wondering:

    q1: How the MBR filter got bypassed? As i mentioned above, i have tested nProtect MBR Guard with other programs (non-malware/rootkit, though), and it succeeded in blocking the MBR accesses (e.g., Keriver's Recovery Console cannot be installed, if the MBR is protected).

    q2: Is there any other way to protect the MBR WHILE being alerted, at the same time, about the related attempt to access/modify it, besides a full-blown HIPS?

    PS: Purchasing AppGuard just for the MBR Guard component is not an option for me.
     
    CGuard, May 18, 2013
    #1
  2. whitestar_999

    whitestar_999 Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    162
    someone can correct me if am wrong but it is my understanding that in windows you can never fully protect MBR.in windows there are different levels of privileges & once a program has the highest level privilege(access to kernel i think) then there is nothing it can't do & is limited only by its own functionality.GMR installs a temporary driver to scan & modify & once you have given it permission to run it can do anything as it is designed to do.this is the reason why it can detect/remove & modify rootkits which also have the highest level privileges.once 2 programs with same highest level privilege compete against each other the one with better code wins which in this case is GMR.
     
    whitestar_999, May 18, 2013
    #2
  3. Windows_Security

    Windows_Security Guest

    Nothing beats running as limited user :D
     
    Windows_Security, May 18, 2013
    #3
  4. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    I often see on this forum and others different terminology being used.
    I run as a standard user and i see others use a term "limited" user etc.

    Is there a difference or is it just different terms for the same thing.?
     
    The Red Moon, May 18, 2013
    #4
  5. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,058
    Location:
    United Surveillance States
    0strodamus, May 18, 2013
    #5
  6. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    The Red Moon, May 18, 2013
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...