MBRFilter - Protect Against Master Boot Record Malware.

Data

Data

Chief Operations Officer
Joined
Apr 13, 2017
Messages
427
Reaction score
81
MBR Filter is a simple disk filter based on Microsoft's diskperf and classpnp example drivers.

Talos said:
MBR Filter is a simple disk filter designed by Cisco Talos to block write access to the Master Boot Record (MBR). The MBR is used to store information related to how the storage device is partitioned, as well as details regarding the filesystem configuration on the device. MBR Filter prevents rootkits, bootkits, and ransomware, such as Petya Ransomware, from overriding the operating system’s (OS) boot loader. Ransomware, like Petya, overwrite and encrypt the victim’s Master File Table (MTF) to coerce them into paying for an encryption key.
Click to expand...

Read more about MBR Filter at http://www.talosintelligence.com/mbrfilter/

Note from Talos: This tool is not officially supported and the user assumes all liability for the use of this tool.

Datas notes:
  • For peace of mind, always have a full and up-to-date backup of your hard drive including the boot sector/partition, previous to installing any software that modifies your boot drive, in any eventuality you come across any issue, you can easily reverse any changes made.
  • Dual boot Linux/Windows installs, Ensure you install Linux/Grub/Lilo before applying MBR Filter. Backup boot sector/partition before and after Grub/Lilo install and before applying MBR Filter, be prepared to restore and re-apply boot sector/partition before any Grub/Lilo updates that require writing to Sector 0 to be allowed.
  • Consult any issue reports to determine if you are willing to work through any issues that may arise.
Pros
  • A simple and effective and cost effective way to protect against rootkits, bootkits, and ransomware such as Petya
Cons
  • At time of writing MBR Filter by default, installs and protects the main boot drive, there is no option to define to which drive the MBR Filter is installed to, see issue #8.
Note: This limitation described has a 2 workarounds however.
1. By unplugging your main boot drive and plugging the secondary drive to same port making it the main boot drive during the MBR Filter installation.

2. Instead of unplugging drives and if your BIOS supports it, you can also disable the main boot drive port in BIOS and change boot sequence option in BIOS t point to the secondary drive you wish to apply MBR Filter to...

Both those workarounds goes without saying will need rinse and repeat depending on what you need to do and your setup configuration/needs.​


Download 32/64-bit:
Support and Issues: https://github.com/vrtadmin/MBRFilter/issues

Feedback welcome
 
Last edited:

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Only two tabs system protection, remote tabs present in system properties dialog 0
Protect audio CD from copying 6
Virus & threat protection showing at load up on Windows Defender 0
Win 10 Home can't turn password-protected networking off 2
Exploit Protection, Program Settings, Displays .exe programs overriding system 0
SOLVED Do I have Firewall protection? 4
WD Virus Protection 2
"This application has been blocked for your protection" 4

Top