MBR boot virus 'detected' when TrueCrypt whole disk encryption is being used

Discussion in 'ESET NOD32 Antivirus v4 Beta Forum' started by agost, Jan 6, 2009.

Thread Status:
Not open for further replies.
  1. agost

    agost Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    7
    Hello,

    I've been using ESS v3 for the past year and I thought I'd try AntiVirus v4 beta. As soon as I installed it, I got a virus warning:

    "Startup scanner boot sector MBR sector of the 0. physical disk probably unknown TSR.BOOT virus unable to clean"

    This is probably due to the fact that when whole disk encryption is set up using TrueCrypt, it places the TrueCrypt bootloader in the MBR. Good thing that no automatic action was taken by the ESET AntiVirus!

    I think that this is something that ESET should deal with, perhaps with a whitelist of trusted/known boot loaders? Maybe it's also an issue for PGP whole disk encryption - can someone else confirm?
     
  2. ASpace

    ASpace Guest

    It is not possible for any security product to automatically deal with the boot sector .

    Open the program's interface , click on "Help and support" , then "Customer care support request (recommended)" , fill in the ticket , in the description part add a link to this thread . At the end allow the program to send SysInspector log file .

    Await an answer from ESET
     
  3. spidey

    spidey Guest

    I got the same error way back when I tried NOD32 v3 with Jetico BCVE. I didn't like that error nagging me or the proxy for web filtering, so I reverted back to NOD32 v2. I'm surprised you didn't get any nags about the MBR with v3.
     
  4. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    If you can provide ESET with a copy of the master boot record from the hard disk drive, it can be examined by their virus researchers. If you are unsure of how to do this, please let me know and I will send you instructions.

    Regards,

    Aryeh Goretsky
     
  5. agost

    agost Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    7
    OK, I will send a copy by email.

    I only got this warning the first time I installed EAV v4 beta. When I do an on-demand scan now with v4 and specifically check the boot sector of C: drive, I do not get a virus warning, which is confusing.


    I previously had a registered copy of ESS v3. I did not get a warning then. However, at the time I installed ESS v3 first, then setup the whole disk encryption afterwards, and I never did an on-demand scan or setup a scheduled task with v3. I'm not sure if it will scan the MBR automatically, I assume the real-time protection is just for accessed files.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Any update on this? Did you get a reply agost?
     
  7. agost

    agost Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    7
    No reply so far. I sent the MBR copy to betasupport@eset.sk, with an explanation pointing to this forum page. Should I be expecting a reply?
     
  8. ASpace

    ASpace Guest


    You'd better try [B]support@eset.com[/B] . When I used betasupport at the beginning of the v4 beta program , I didn't get replies or it was too late when an email arrived back.
     
  9. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Private message sent.

    Regards,

    Aryeh Goretsky
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Has this been resolved? /via PM or other means?
     
  11. agost

    agost Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    7
    I sent an email (no reply yet) with a copy of MBR and boot sector. However, in the email I also said that "I can no longer reproduce the problem even after I uninstall and reinstall EAV v4 Beta 1, and an on-demand scan of c: boot sector does not produce any warnings. I have tried experimenting on virtual machines as well and could not reproduce the problem."

    So the fact that it is not reproducible is confusing. However, this also means that this boot-loader problem is no longer a big issue for me.

    I would encourage people to try some quick tests with TrueCrypt (or PGP/Jetico if you have the license), to see how it goes on your system. In the meantime, I'll keep you guys updated if there's anything new.
     
Thread Status:
Not open for further replies.