mbrguard alternative?

Discussion in 'other anti-malware software' started by lolpop, Jul 15, 2010.

Thread Status:
Not open for further replies.
  1. lolpop

    lolpop Registered Member

    Joined:
    Jul 15, 2010
    Posts:
    9
    Last edited: Jul 15, 2010
  2. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    LUA (limited user account)

    Furthermore, LUA does much more than MBRGuard.
     
  3. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    MBRguard will be integrated into AppGuard version 2.0, providing 64 bit support. AppGuard 2.0 will be released in August.

    Indeed, LUA precludes MBR write operations. At that point, the remaining value of MBRguard is protection from processes with higher privilege, either
    - hijacked/compromised 'trusted' processes
    - processes benefiting from a successful privilege escalation attack.

    These are quite rare for consumers. On the other hand, if you work in the Defense Department or some other high-value target...

    Also, if one should use a tainted installer, MBRguard would block write operations to MBR. However, I should think the installer would pursue other targets. And, on a 64 bit Windows, one enjoys pretty good protection for those other resources (e.g., drivers, kernel, etc.) from even this. In my own simple way of regarding things, with their new 64 bit OS's, Microsoft has significantly improved protection of resources in what I call 'system space'.

    Our high value target customers want MBRguard integrated into AppGuard (i.e., AppGuard Enterprise). Frankly, a standalone 64 bit MBRguard hasn't been a huge priority. We've always been intent on integrating it into AppGuard. Have we underestimated interest in such a standalone 64 bit MBRguard agent? If so, I'll see what I can do.

    Cheers,

    Eirik
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Eirik good explanation thanks buddy;)
     
  5. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I am very interested in that tool, yes!

    The new x64 TDSS rootkit uses the MBR to bypass PatchGuard. So i think a x64 MBR-Guard would be a very nice litle feature to close this gap!

    I know that UAC protects the MBR but a lot of installers needs admin rights. If the installer is infected the computer will become a bot.
     
Thread Status:
Not open for further replies.