MBR protected, too?

Discussion in 'General Returnil discussions' started by VanguardLH, Dec 29, 2010.

Thread Status:
Not open for further replies.
  1. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    From the online manual, "Viruses, Trojans, Worms, Adware, Spyware, Keyloggers, Rootkits and unwanted content disappear with a simple reboot". So I'm wondering just how the MBR (or, at least, the bootstrap area) is protected (or restored).

    I've been hunting around the forum trying to determine if RSS will protect the MBR (master boot record). Presumably this would be the MBR of the first detected hard disk by the BIOS (which would then load the bootstrap program from that disk's MBR). I saw ColdMoon state (https://www.wilderssecurity.com/showpost.php?p=1732376&postcount=6) that RVS/RSS will protect the MBR.

    - Is all of the MBR protected? Or are the partition tables and disk sig ignored and just the 446 bytes for the bootstrap area protected? Malicious code would show up in the bootstrap area but malware might also try to change the partition tables (so the disk becomes unusable after rebooting and no longer inside the prior virtualized Windows session).

    - By "protection", does that mean RSS will overwrite the bootstrap area with standard boot code (like you get using Win98's "fdisk /mbr" or NT's fixmbr program)? Or does it save a copy of whatever is currently there and then reinstate it on a reboot? I use Acronis TrueImage (ATI) to save image backups (fulls and incrementals) of my partitions. I enabled its Recovery Manager which usurps the bootstrap code in the MBR. So if standard bootstrap code got put back into the MBR then I'd lose the ability to load ATI's RM on boot (until I noticed the loss and re-enabled it in ATI's configuration).

    I'm not sure just how RSS could protect the MBR. Even if it intercepted changes to the bootstrap code, won't those changes still be there when the computer gets rebooted? The MBR's bootstrap code runs first before any OS gets loaded. RSS wouldn't have a chance yet to load and to restore the bootstrap code. The malicious code runs first then RSS sometime later on a reboot.

    Does RSS, when a safe session is active, intercept any changes to the MBR (partition table, bootstrap, or disk sig modifications)? Seems that would be the only way to prevent the malicious code from getting into the bootstrap area of the MBR or the partition tables getting corrupted. However, would that MBR protection be part of the Virus Guard functionality in RSS (something that I've disabled in the past to ensure no conflict with anti-virus software)?
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The MBR and low sectors for the System are protected by not allowing them to be written too while in Virtual Mode. Other than this, RSS/RVS do not modify or make use of the MBR in any way.

    Mike
     
  3. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    That's good news. Hopefully it is an intrinsic protection (i.e., part of the base features set) and not part of Virus Guard. Thanks for replying.
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Yes, it is an integral part of the virtualization driver itself and has no settings which can be altered. Enter Virtual Mode and the MBR is protected automatically.
     
Thread Status:
Not open for further replies.