Is there a way to protect MBR from rootkits?

Discussion in 'sandboxing & virtualization' started by karad, Dec 26, 2012.

Thread Status:
Not open for further replies.
  1. karad

    karad Registered Member

    Joined:
    Sep 10, 2008
    Posts:
    237
    My question arises from the fact all virtualising programs now admit they can't protect the MBR from rootkits such as TDL&Co.,apart from Diskshot which has not been translated yet.

    I use three pcs with three different configurations which i'd like to protect,please bear in mind computers 2&3 run GRUB as i dual boot Ubuntu:

    1-Windows7:Comodo CIS5+ToolwizTimeFreeze and MBAM,Superantispyware free on demand

    2-XP (GRUB): Sandboxie + ToolwizTimeFreeze and
    Comodo AV,MBAM,Superantispyware on demand

    3-netbook Windows7(GRUB): Sandboxie + ToolwizTimeFreeze and Comodo AV,MBAM,Superantispyware on demand.

    In computer 1 I also do routinely scans with MBAR (Malwarebytes anti rootkit prog) and KasperskyTDDS.

    What I'm planning is doing the above plus perhaps a new image every now and then ( two weeks?) whether i need it or not, just to reinstate the MBR.
    (I wonder if you can successfully backup and recover just the MBR with PARAGON )
    (I also wonder if the new Comodo V6 with its Kiosk can take care of MBR threats...)

    Any suggestion/advice on this matter regarding the MBR and/or my setup is more than welcome,thanks.
     
    Last edited: Dec 26, 2012
  2. flamerz

    flamerz Registered Member

    Joined:
    Dec 16, 2012
    Posts:
    55
    i use one, in korean. check my signature.
     
  3. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,283
    Yes, you can. It is possible to backup just the MBR or the Track0.
     
  4. karad

    karad Registered Member

    Joined:
    Sep 10, 2008
    Posts:
    237
    @flamerz,thank you for suggesting
    nProtect MBR Guard
    I'm in the process of familiarizing with it via the couple of threads i found here at Wilders,which i had read ,but had forgotten about.
    There are pro&cons in its use it seems and i'm trying to check it out against the similar application of AppGuard.

    @Robin A. ,you mean it is safe to check for recovery of just and only Track0/MBR and nothing else?
    Have you ever tried that?
     
  5. karad

    karad Registered Member

    Joined:
    Sep 10, 2008
    Posts:
    237
    I found out now that Shadow Defender site is working ok and offering the updated versions at
    http://www.shadowdefender.com/download.html

    Perhaps the costly,but easy solution for me would be to just substitute ToolwizTimeFreeze with ShadowDefender as the latter does take care of the MBR -as i gather from a few Wilders threads.
     
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    The best protection against MBR Rootkits is a "clean" Windows System Partition" Image.

    It is my understanding that many of the Software MBR guard's protect the MBR using their Window's Driver. It is possible for the MBR to get infected if the infection occurs before the MBR guard's Window's Driver loads.
     
  7. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,283
     
  8. karad

    karad Registered Member

    Joined:
    Sep 10, 2008
    Posts:
    237

    @TheKid7,
    I am not sure to what section you refer to given the fact that a " Windows System Partition" is defined as:

    So,are you referring to 'hardware software',BIOS or small Windows7 100-200 MBS system partition?

    Or do you mean just a simple 'image' of the System Partition taken with an imaging program?

    Please clarify, i am very interested.




    I take it you imply that MBR guarding software do not guard at all-at least potentially-as they can be beaten up by malware the way you depicted......

    That is why ,to cut it short, I've preferred ,at least for the time being, to install right now Shadow Defender,whose defending properties vs ZeroAccess,TDDS and the likes have been well expounded in Wilders threads.
    I hope i'm not wrong about that, in anycase i'd have paid only a few bucks for a software which can virtualise the whole disk and not a part of it.
     
  9. karad

    karad Registered Member

    Joined:
    Sep 10, 2008
    Posts:
    237
    @Robin A., yes what you say makes sense and is a clear possibility.
     
Loading...
Thread Status:
Not open for further replies.