MBRFilter Safeguards Computers Against MBR Malware and Ransomware

Discussion in 'other anti-malware software' started by hawki, Oct 20, 2016.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,753
    Location:
    DC Metro Area
    "Yesterday, researchers from Cisco reported that the new free tool MBRFilter, which protects a computer’s MBR sector against unauthorized access, can be used for safeguarding machines against MBR-targeting malware like Satana, Petya, or HDDCryptor ransomware.

    In fact, MBRFilter is just an ordinary driver which changes your MBR into a read-only mode and prevents applications from modifying or writing data to that particular section of your hard drive..."

    http://virusguides.com/mbrfilter-safeguards-computers-mbr-malware-ransomware/

    Cisco Talos releases open source MBRFilter

    http://blog.talosintel.com/2016/10/mbrfilter.html

    Download is here:

    https://github.com/vrtadmin/MBRFilter/releases/tag/1.0

    "...In addition to the open source code being released, Talos is also releasing a signed driver that can be installed on 32-bit and 64-bit Windows installations. Installation is performed by right-clicking on the INF file included in the linked Zip archive and selecting Install. The installation does require a system restart.

    The 32-bit installation can be obtained here.

    The 64-bit installation can be obtained here. "
     
    Last edited: Oct 20, 2016
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Thank you! Nice finding!
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Interesting. Also nice for the fact that Cisco/Talos has open-sourced the code for this tool. Talos does fantastic security research as well and they must see an important need for such protection. This does not seem to be cross-signed by Microsoft Windows at the moment, although I am not certain whether that would be required or not for Windows 10 AU.
     
  4. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    7,636
    Location:
    Hawaii
    @ hawki - Got it. A plethora of thanks unto thee!!!
     
  5. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,549
    I suppose this driver is intended for BIOS firmware, or for UEFI firmware working in legacy mode.

    Secure boot works with UEFI firmware in native mode. In this mode, the MBR is not operative, and is retained only for compatibility purposes, so it seems to me that it´s not important if the driver can be installed or not.
     
  6. I L M B

    I L M B Registered Member

    Joined:
    Mar 29, 2016
    Posts:
    7
    Location:
    Seattle, WA
    From: http://www.pcworld.com/article/3133...ects-pcs-from-master-boot-record-attacks.html

    "Microsoft attempted to solve the bootkit problem by implementing cryptographic verification of the bootloader in Windows 8 and later. This feature is known as Secure Boot and is based on the Unified Extensible Firmware Interface (UEFI)—the modern BIOS. The problem is that Secure Boot does not work on all computers and for all Windows versions and does not support MBR-partitioned disks at all. This means that there are still a large number of computers out there that don’t benefit from it and remain vulnerable to MBR attacks."
     
  7. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Just dropped in to get your opinion as I received a PCworld email linking it. My specific question is/was going to be, Do you think it will conflict or at least annoy WinAntiRansom? I snapped a Macrium Reflect incremental so I'll let you know how it goes!
    Update: All seems normal! Any chance it could affect Macrium Win PE recoveries?
     
    Last edited: Oct 20, 2016
  8. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,413
    Location:
    Triassic
    Looks interesting.

    I have a Lenovo system and it uses an mbr which does not have the usual size of 512, but 2048 byte. Assuming it will not be a problem, but do not want to boot into safe mode only to find out that the mbr has been corrupted.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    It shouldn't conflict.
    The minifilter prevents writes to "sector 0". Only if one of your program is known to write to this sector you should disable the minifilter temporarily.
    (Partition the harddisk / encrypt your system-volume with VeraCrypt-TrueCrypt / build an USB-stick with "Rufus" or other software / ...)
     
  10. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    I just restored a Macrium Reflect image without issue. It indeed just re-writes the MBR that it snaptshot so I'm sure it includes the read only code. Very common sense solution, thus surprised it took this long for the idea to manifest itself.
     
  11. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,192
    Tencent PC Manager has had a similar feature for a month or so. For example, it prevents Rufus from formatting a flash drive. The first time Rufus was blocked I got a warning message from PC Manager, but since then Rufus has just been blocked with no notification.
     
  12. Thx, installed it I remember Blueridge offering a freeware MBR guard in the past, also I think an asian company (nProtect) also offered a MBR guard.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
  14. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,538
    Once installed, can this be easily undone?
    "MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments"

    Edit: Found the answer for uninstalling in the readme.
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    According to the website, yes:
    Edit: Oh, you already found the answer ;)
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Does Tencent have a HIPS? What type of behavior does it monitor? Most HIPS should be able to protect the MBR, SpyShelter also offers this.
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    This tiny driver can be a good choice even if a HIPS is installed, it's an additional protection-layer.
    Even if the user "accidentially" allows the action in SpyShelter or something like a "Trusted program" wants to modify it, the MBR stays secured.
    If the driver is installed:
    Disadvantage: the user has modify the registry and reboot to allow the change of the MBR / Or has to reboot into safe mode.
    Advantage: in the case of an "user-error", the MBR is secure.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Yes, good point. But it should not conflict with other tools of course, for example HMPA also protects the MBR.
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    With HMP.A the user has a "visual clue" if the MBR is protected or not, and the protection can be enable/disabled with a simple mouse-click (and without a reboot) (=user-friendly)
    So especially in this case the MBR-filter is not really needed.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    How about Shadow Defender + MBRFilter
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    SD is already protecting the MBR, if you boot into a Shadow-Session.
    If you only shadow a data partition, the MBR of this disk may be protected too from SD.
    But that could be a question for the SD-thread :cautious:
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    Tip to all - check if you have security software that monitors driver loading. I had to manually add MBRFilter.sys to Eset's HIPS driver allow load list.

    I have also observed a noticeable slow down in Win 10 boot time with this driver installed.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    Yes and no. Plus what they are monitoring is low-level disk access. With many HIPS's, a user rule must be manually created. This type of HIPS low-level disk access monitoring can also cause conflict with a few Win processes such as shadow volume copy.
     
  24. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,192
    It has proactive protection, but I'm not sure exactly what is monitored.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,870
    Location:
    U.S.A. (South)
    Exactly. And I very do well remember testing nProtect back on XP and it easily blocked that notoriously nasty KillDisk MBR attacker in Real-Time which was really welcome.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.