To what extent can & does WSA protect the MBR

Discussion in 'Prevx Releases' started by Baldrick, Jul 22, 2012.

Thread Status:
Not open for further replies.
  1. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi there all

    Am experimenting with AppGuard; specifically for the protection it can afford the MBR. Now that set me thinking about MBR protection generally and I am wondering to what extent can & does WSA protect the MBR.

    I suspect that in terms of the main possible culprits it handles them just like most other AVs / ISs but given the nature of the MBR and where it 'sits' in the boot process I would like to be sure.

    Could any of the knowledgeable brethren advise on this?

    My thanks in anticipation.

    Regards



    Balders
     
  2. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I don't think it prevents the MBR from being modified in the way that AppGuard does, but WSA does scan the MBR in real-time - See Scan Settings in the Settings dialog for confirmation.

    Kind regards
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm not sure what AppGuard does, but if an untrusted program tries to modify the MBR, WSA will show a warning and automatically block it (controlled by the realtime scanning option as pegr said). We use the cloud to ensure we aren't blocking legitimate changes as some programs like Rollback Rx can corrupt the system if not allowed to make their modifications.

    Hope that helps! :)
     
  4. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi pegr, Hi Joe

    Thanks both for the replies.

    From what you are saying and what I have found out about AppGuard, it would appear that both it & WSA do the same thing...with just how & on what basis the modification of the MBR is blocked being different (I think that AppGuard uses behavioural analysis & trust, etc., rather than checking in the cloud, etc.

    It would be interesting to see if both are as effective as each other, etc., in terms of how they protect the MBR. But presumably in the case of WSA it works on the basis of if a new app is detected modifying the MBR and not known in the cloud at the time of detection then WSA allows it and monitors until cloud based analysis has confirmed the 'goodnees/lack of' of the app and then cleans it/rolls back the changes made by the app?

    Regards



    Balders
     
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    My understanding is that if MBRGuard is enabled, AppGuard blocks ALL attempts to modify the MBR, irrespective of the trust status of the application. Here's how the AppGuard help file describes it: -

    "MBRGuard blocks all write operations to the Master Boot Record (MBR), thwarting vicious attacks such as KillDisk as well as rootkit-based malware infestations such as Mebroot.

    MBRGuard may interfere with some backup software. If you find that this protection is interfering with your PC's operation, it can be disabled from the Advanced Settings Tab on the AppGuard Configuration Interface. Once MBRGuard is disabled, it can be re-enabled from the Advanced Settings Tab. Note, a reboot is required in order to disable or enable this protection after clicking on the Advanced Settings Tab button."
     
  6. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Thanks pegr...had got that previously. But what interests me is whether the WSA protection is a better blend of security & usability when compared to the "just block it irrespective" approach of AG.

    I have RB Rx installed, which as I am sure that you know, modifies the MBR on install/uninstall, but between those two events AG seems to play well with it. However, can see failure to turn AG off at these points could cause a whole lot of bother, ie, not so high in the usability stakes.

    Still thinking about this and wondering if anyone has tested WSA against MBR infectors & the like to see how effective the protection is?
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Maybe the best way to answer this is to consider what happens when WSA encounters a program of unknown status (i.e. not in its database) that tries to modify the MBR. If it denies the modification then the protection is as strong as AppGuard, with the added advantage that known good programs are allowed to make the modification without issue. On the other hand, if WSA allows the modification then there is a risk of MBR infection and the protection is not as strong as AppGuard.

    What the question fundamentally boils down to is whether the policy is one of default-deny or default-allow. AVs traditionally operate on a default-allow basis so it will be interesting to know if WSA has reversed this in favour of default-deny with regards to MBR protection.
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It is default deny but it will prompt you. WSA tries to remain as silent as possible except in this case as an MBR modification is extremely suspicious.
     
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    That's good to know. :thumb:
     
  10. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    The problem with the WSA pop-up is that it says "allowing in xx secs" so if it comes up while the user has their eyes off the screen or is away from the computer for 60 secs then it will be allowed to run - that to me is not default deny.
    What should happen is that the warning pop-up stays open on the screen until it is answered allow or block, no countdown - just blocked until a user decision is made.
    The real answer to this is to have 'novice' and 'advanced/expert' options in WSA.
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    For the firewall prompt, it will 'Allow in x seconds' but for the MBR prompt, it will Block in x seconds.

    Let me know if you're seeing something different!
     
  12. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Thanks for the clarification Joe, haven't seen an MBR warning and hope I don't, I assumed - wrongly - that they would be the same.
    However, I would still like to see the 'allowing in xx secs' firewall prompts changed to a simple allow or block with no 'allowing in...'.
     
  13. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I've asked one of the MBRGuard developers for a definitive answer with how it might be different from WSA. I'll let you know when he gets back to me.
     
  14. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    @ All who have responded

    Many thanks for an enlightened & informative debate.

    Two great products both helping, in their own way, to protect us. In terms of MBR protection I would be going with AppGuard apart from the fact that I have a WSA license and if there is little difference in the net effect then I will stay where I am. :D

    Thanks again all...it is the likes of you that make Wilders THE place to go for security-related information & advice.

    Regards


    Balders :D
     
Thread Status:
Not open for further replies.