Cisco’s team at Talos today released a new free tool called MBRFilter, that protects a computer’s MBR (Master Boot Record) sector against unauthorized access. This can be useful for safeguarding PCs against MBR-targeting malware, such as the Petya, Satana, or HDDCryptor ransomware.
What is MBR?
Master Boot Record (MBR) is the first sector (512 bytes) on your Hard drive that stores the bootloader, a piece of code that is responsible for booting the current Operating System. Technically, Bootloader is first code that gets executed after system BIOS that tells your computer what to do when it start.
A boot malware or bootkits has the ability to install ransomware or other malicious software into your Windows kernel, which is almost impossible to detect, and thus takes unrestricted and unauthorized access to your entire computer.
So, the best way to protect your computer against such bootkits is to restrict your MBR to rewrite or overwrite by an unauthorized software. At its core, MBRFilter is nothing more than a driver that changes your MBR into a read-only mode and prevents any application from modifying or writing data to that particular section of your hard drive.
The MBR stands for Master Boot Record and is a special section of all hard disk drives.
The MBR is located right at the beginning of the HDD’s storage space and keeps information on partitions in a component called the MFT, or the Master File Table.
Talos Team have uploaded an video regarding this:
The open source release of MBRFilter can be obtained here.
In addition to the open source code being released, Talos is also releasing a signed driver that can be installed on 32-bit and 64-bit Windows installations. Installation is performed by right-clicking on the INF file included in the linked Zip archive and selecting Install. The installation does require a system restart.