Undetectable Humanizer: Lifetime Subscription
Transform AI-Generated Text into Human-Like, High-Ranking Content & Bypass Even the Most Sophisticated AI Detectors
Get 95% Deal

MBRFilter protects the Master Boot Record against manipulation

Martin Brinkmann
Oct 21, 2016
Updated • Jan 7, 2017
Security
|
15

MBRFilter is a new open source software for Windows devices designed to protect the Master Boot Record against manipulation.

The Master Boot Record holds information about how partitions and file systems are organized on a storage device.

It triggers the loader of installed operating systems as well, which makes it an important part of any computer system.

If the Master Boot Record is altered, either accidentally or through malicious software, it may result in boot errors or other issues.

There is malware out there in the wild that overwrites the Master Boot Record with its own boot loader. Petya, a ransomware, does so for instance.

MBRFilter

The main purpose of MBRFilter is to protect the Master Boot Record against any form of manipulation.

Note: It is highly recommended to test the filter on a test system before it is installed on a production machine. Create a system backup before you do so in either case to be on the safe side.

Installation is a bit finicky. The filter is supplied as source, but also as a 32-bit and 64-bit driver for Windows. Make sure you download the correct version for Windows and unpack the downloaded archive afterwards.

The archive contains an .inf file and a .sys file. Right-click on MBRFilter.inf and select install from the context menu that opens. You are prompted to reboot the system afterwards to complete the installation.

If things worked well, Windows should boot again and you can start using the system like before. The only thing that you need to be aware of is that the driver will prevent writes to sector 0 on all drives, including those that you may authorize. You may run into issues for instance when initializing new drives on the machine.

This can cause an issue when initializing a new disk in the Disk Management application. Hit  'Cancel' when asks you to write to the MBR/GPT and it should work as expected.

Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting.

Removal is quite complicated as well. The Github project page lists all the steps required to remove the MBRFilter again from a machine. Basically, the following steps need to be completed:

  1. Open a Registry Editor and remove the MBRFilter line from the UpperFilters Registry key: HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
  2. Reboot
  3. Use AccessMBR, a program supplied on the Github site as well to verify that the MBR lock is disabled.

The only option you have to manipulate the boot sector while the driver is active is to boot into Safe Mode.

Closing Words

If you are worried particularly about malware that overwrites the Master Boot Record, or accidentally damaging it, then you may find MBRFilter useful as it prevents that from happening.

It may make more sense for most users to install anti-ransomware software or antivirus software instead which should prevent ransomware or malware from running on the PC in first place (and thus modifying the MBR).

Summary
software image
Author Rating
1star1star1star1stargray
3.5 based on 5 votes
Software Name
MBRFilter
Operating System
Windows
Software Category
Security
Landing Page
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Wolfy169Peter said on October 24, 2016 at 4:02 am
    Reply

    Ah!, the old Anarchist Cookbook, brings back many memories

  2. ANARCHY said on October 23, 2016 at 7:30 pm
    Reply

    @SHAWN Anarchist cookbooks were text files, so no worries.

  3. MA said on October 22, 2016 at 5:41 pm
    Reply

    I would like to install this, but I am curious if there are any compatibility concerns while using Bitlocker?

    1. Martin Brinkmann said on October 22, 2016 at 7:53 pm
      Reply

      I have not tried it. I would assume that there won’t be any, as it protects the MBR from modifications but does not alter it.

  4. Tom said on October 22, 2016 at 8:14 am
    Reply

    exactly my thoughts…

  5. John M said on October 22, 2016 at 1:52 am
    Reply

    Last time I read, anti-ransonware software still could not detect MBR-attacking malware.

    1. John W said on October 22, 2016 at 6:31 pm
      Reply

      No antivirus company would like to put themselves out of business. What happened to the antivirus hardware(chips) talked about 25 years ago.

  6. pHROZEN gHOST said on October 21, 2016 at 9:17 pm
    Reply

    When you get so paranoid that you install every possible form of protection on your PC, all of that protection is going to cause you as much grief as the “nasties” you are trying to protect against. Just look at Avast’s recent attack on attempts by Mozilla to quickly deal with Firefox issues. Software companies like Mozilla going to have to start testing their software with all of the protection software out there to ensure it isn’t mistreated.Oh no. That would be prohibitively costly. They will just leave it up to the user to deal with the mess.

    Be careful out there.

  7. chad said on October 21, 2016 at 7:19 pm
    Reply

    Downloaded and installed on Windows 10, 64bit system, installed with no issues..Here is the download link: http://www.softwarecrew.com/2016/10/stop-ransomware-infecting-your-mbr-with-mbrfilter/

  8. Kenneth Knudsen said on October 21, 2016 at 5:36 pm
    Reply

    Dude where is the download link? If it’s supposed to be the landing page link, well then you messed it up cause it points to this very page.

    1. Martin Brinkmann said on October 21, 2016 at 7:39 pm
      Reply

      Sorry for that, fixed it.

    2. Gary D said on October 21, 2016 at 6:00 pm
      Reply

      @ Kenneth Knudsen

      “Dude where is the download link?”

      Why don’t you show a bit of initiative / self reliance, Try typing MBRfilter into your Browser’s search box.
      That’s not difficult now is it ? Sarcasm intended, Dude.

      1. monk said on January 7, 2017 at 8:55 am
        Reply

        The irony is that the program was mentioned elsewhere but with no link. I used Google and one of the results was this page.

      2. Testuser said on October 23, 2016 at 6:13 pm
        Reply

        Well, I would appreciate a direct link as well. You know, humans are lazy creatures. It’s just more convenient. That has nothing to do with difficulty, and feeding Google with more data just because there is no link? Using DuckDuckGo is an alternative, but in my experience there are often moments where it doesn’t show something what I wanted at all. But Google does

      3. Shawn said on October 21, 2016 at 6:16 pm
        Reply

        I have to agree with Gary D on this one and seriously if you lack the methods of searching for a tool BY GOD don’t use things like this might create a black hole (Sarcasm included) some tools are great but seriously if you don’t have the “Nack” gene as Dilbert would call it don’t mess with tools like this, hell reminds me of the days when a guide like 40hex or the anarchist cookbook was roaming the bbs’s I for one was no fool in messing with theses doc’s considering PC’s we’re 3k in price in minimum..

        Also .inf extensions you might as well call it .bat, .com .exe, .msi or any of the auto run’s available.. unless you know WTF you are doing make backups, restore points then play as you want.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.