nProtect MBR Guard let me down - Alternatives?

Discussion in 'other anti-malware software' started by CGuard, May 18, 2013.

Thread Status:
Not open for further replies.
  1. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Every once in a while, i scan my system with anti-rootkit tools. Just yesterday, GMER's scan resulted in a "\Device\Harddisk0\DR0---Unknown MBR code" info entry. I knew that this MBR modification had been caused by Keriver's Recovery Console, but i decided to somewhat test nProtect's MBR protection (as i have done with other legitimate MBR-accessing programs) by selecting "Restore" from GMER's right-click menu. To my great surprise, a standard MBR was restored without any alert from nProtect's utility...

    I was wondering:

    q1: How the MBR filter got bypassed? As i mentioned above, i have tested nProtect MBR Guard with other programs (non-malware/rootkit, though), and it succeeded in blocking the MBR accesses (e.g., Keriver's Recovery Console cannot be installed, if the MBR is protected).

    q2: Is there any other way to protect the MBR WHILE being alerted, at the same time, about the related attempt to access/modify it, besides a full-blown HIPS?

    PS: Purchasing AppGuard just for the MBR Guard component is not an option for me.
     
  2. whitestar_999

    whitestar_999 Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    101
    someone can correct me if am wrong but it is my understanding that in windows you can never fully protect MBR.in windows there are different levels of privileges & once a program has the highest level privilege(access to kernel i think) then there is nothing it can't do & is limited only by its own functionality.GMR installs a temporary driver to scan & modify & once you have given it permission to run it can do anything as it is designed to do.this is the reason why it can detect/remove & modify rootkits which also have the highest level privileges.once 2 programs with same highest level privilege compete against each other the one with better code wins which in this case is GMR.
     
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,068
    Location:
    Netherlands
    Nothing beats running as limited user :D
     
  4. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    I often see on this forum and others different terminology being used.
    I run as a standard user and i see others use a term "limited" user etc.

    Is there a difference or is it just different terms for the same thing.?
     
  5. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
  6. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
Loading...
Thread Status:
Not open for further replies.