New

MBR protection

  • 25 December 2016
  • 8 replies
  • 3476 views

Userlevel 7
Badge +51
Add MBR(Master Boot Record) protection function
 
like this


 
for example
PETYA Crypto-ransomware Overwrites MBR
This will improve the protection of ransomware(petya,Goldeneye......etc)
 

8 replies

Userlevel 7
Sounds like a good idea to me, especially if it can be done without adding bloat to the installer/apoplicaiton.
 
Baldrick
Userlevel 7
Badge +55
I don't know if it's a big issue or a hole in WSA's defences as most if not all new systems run via UEFI mode but WSA does scan the MBR but in my case I don't have an MBR. I also expect WSA's realtime shield would protect the MBR and if need be could be rollback just like the OS itself. Good question for @ or @ though!
 
Daniel
 

Userlevel 7
Badge +51
"I don't know if it's a big issue or a hole in WSA's defences as most if not all new systems run via UEFI mode but WSA does scan the MBR but in my case I don't have an MBR."
 
scan MBR ? MBR protection
Userlevel 7
Badge +55
We will have to wait till the Webroot Staff has to say!
Userlevel 7
I read an interesting archived thread (at Wilders) about this where Joe made comments like:
 
      "if an untrusted program tries to modify the MBR, WSA will show a warning and automatically block it (controlled by the realtime scanning option as pegr said). We use the cloud to ensure we aren't blocking legitimate changes as some programs like Rollback Rx can corrupt the system if not allowed to make their modifications." 
 
pegr asked:      
"AVs traditionally operate on a default-allow basis so it will be interesting to know if WSA has reversed this in favour of default-deny with regards to MBR protection."
 
Joe's reply:
    "It is default deny but it will prompt you. WSA tries to remain as silent as possible except in this case as an MBR modification is extremely suspicious"
Userlevel 7
Interesting, Dermot...personally I would prefer to have an option like the one for the HOSTS file so that I can decide if I want to restrict activity around the MBR, etc.
 
Regards, Baldrick
Great suggestion.
Userlevel 3
Badge +10
Enabling Secure-Boot is supposed to do this kind of protection at a much lower level. Recently there has been news of UEFI malware that can overwrite critical boot items creating a persistent rootkit. I won't claim to know how to stop this but I would like to add detection of this attack vector is critical. This is the new MBR virus for secure boot systems:
https://arstechnica.com/information-technology/2018/10/first-uefi-malware-discovered-in-wild-is-laptop-security-software-hijacked-by-russians/

Reply