Every once in a while I’ll highlight a tool on my blog. Today, I want to point out a free tool that protects your master boot record from being modified by malware. This is how many forms of ransowmare, rootkits and other wanted programs own a machine. Simply install this tool and it will force your system to run in safe mode when modifications are done to the master boot record. You can learn more and download the tool at https://www.talosintelligence.com/mbrfilter.
Here is a write up of the tool
MBR Filter is a simple disk filter designed by Cisco Talos to block write access to the Master Boot Record (MBR). The MBR is used to store information related to how the storage device is partitioned, as well as details regarding the filesystem configuration on the device. MBR Filter prevents rootkits, bootkits, and ransomware, such as Petya Ransomware, from overriding the operating system’s (OS) boot loader. Ransomware, like Petya, overwrite and encrypt the victim’s Master File Table (MTF) to coerce them into paying for an encryption key.
MBR Filter, once installed, requires the system to boot in Safe Mode to enable write access to make changes to the device. This prevents malicious software from writing to or modifying the contents of this section of the machine or any disks connected to the system. MBR Filter enables users to effectively protect their systems from various malware families and disrupts the operations of cyber criminals, making their malware ineffective. Talos offers the MBR Filter in two formats usable on Windows based systems: open source which can be used and modified by anyone and a precompiled, signed driver executable that can be installed.
MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing
this protection during the infection process. Test thoroughly before deploying within production environments.