MBRFilter protects the Master Boot Record against manipulation - gHacks Tech News

MBRFilter protects the Master Boot Record against manipulation

MBRFilter is a new open source software for Windows devices designed to protect the Master Boot Record against manipulation.

The Master Boot Record holds information about how partitions and file systems are organized on a storage device.

It triggers the loader of installed operating systems as well, which makes it an important part of any computer system.

If the Master Boot Record is altered, either accidentally or through malicious software, it may result in boot errors or other issues.

There is malware out there in the wild that overwrites the Master Boot Record with its own boot loader. Petya, a ransomware, does so for instance.

MBRFilter

mbrfilter

The main purpose of MBRFilter is to protect the Master Boot Record against any form of manipulation.

Note: It is highly recommended to test the filter on a test system before it is installed on a production machine. Create a system backup before you do so in either case to be on the safe side.

Installation is a bit finicky. The filter is supplied as source, but also as a 32-bit and 64-bit driver for Windows. Make sure you download the correct version for Windows and unpack the downloaded archive afterwards.

The archive contains an .inf file and a .sys file. Right-click on MBRFilter.inf and select install from the context menu that opens. You are prompted to reboot the system afterwards to complete the installation.

If things worked well, Windows should boot again and you can start using the system like before. The only thing that you need to be aware of is that the driver will prevent writes to sector 0 on all drives, including those that you may authorize. You may run into issues for instance when initializing new drives on the machine.

This can cause an issue when initializing a new disk in the Disk Management application. Hit  'Cancel' when asks you to write to the MBR/GPT and it should work as expected.

Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting.

Removal is quite complicated as well. The Github project page lists all the steps required to remove the MBRFilter again from a machine. Basically, the following steps need to be completed:

  1. Open a Registry Editor and remove the MBRFilter line from the UpperFilters Registry key: HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
  2. Reboot
  3. Use AccessMBR, a program supplied on the Github site as well to verify that the MBR lock is disabled.

The only option you have to manipulate the boot sector while the driver is active is to boot into Safe Mode.

Closing Words

If you are worried particularly about malware that overwrites the Master Boot Record, or accidentally damaging it, then you may find MBRFilter useful as it prevents that from happening.

It may make more sense for most users to install anti-ransomware software or antivirus software instead which should prevent ransomware or malware from running on the PC in first place (and thus modifying the MBR).

Summary
software image
Author Rating
1star1star1star1stargray
5 based on 3 votes
Software Name
MBRFilter
Operating System
Windows
Software Category
Security
Landing Page

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Kenneth Knudsen said on October 21, 2016 at 5:36 pm
    Reply

    Dude where is the download link? If it’s supposed to be the landing page link, well then you messed it up cause it points to this very page.

    1. Gary D said on October 21, 2016 at 6:00 pm
      Reply

      @ Kenneth Knudsen

      “Dude where is the download link?”

      Why don’t you show a bit of initiative / self reliance, Try typing MBRfilter into your Browser’s search box.
      That’s not difficult now is it ? Sarcasm intended, Dude.

      1. Shawn said on October 21, 2016 at 6:16 pm
        Reply

        I have to agree with Gary D on this one and seriously if you lack the methods of searching for a tool BY GOD don’t use things like this might create a black hole (Sarcasm included) some tools are great but seriously if you don’t have the “Nack” gene as Dilbert would call it don’t mess with tools like this, hell reminds me of the days when a guide like 40hex or the anarchist cookbook was roaming the bbs’s I for one was no fool in messing with theses doc’s considering PC’s we’re 3k in price in minimum..

        Also .inf extensions you might as well call it .bat, .com .exe, .msi or any of the auto run’s available.. unless you know WTF you are doing make backups, restore points then play as you want.

      2. Testuser said on October 23, 2016 at 6:13 pm
        Reply

        Well, I would appreciate a direct link as well. You know, humans are lazy creatures. It’s just more convenient. That has nothing to do with difficulty, and feeding Google with more data just because there is no link? Using DuckDuckGo is an alternative, but in my experience there are often moments where it doesn’t show something what I wanted at all. But Google does

      3. monk said on January 7, 2017 at 8:55 am
        Reply

        The irony is that the program was mentioned elsewhere but with no link. I used Google and one of the results was this page.

    2. Martin Brinkmann said on October 21, 2016 at 7:39 pm
      Reply

      Sorry for that, fixed it.

  2. chad said on October 21, 2016 at 7:19 pm
    Reply

    Downloaded and installed on Windows 10, 64bit system, installed with no issues..Here is the download link: http://www.softwarecrew.com/2016/10/stop-ransomware-infecting-your-mbr-with-mbrfilter/

  3. pHROZEN gHOST said on October 21, 2016 at 9:17 pm
    Reply

    When you get so paranoid that you install every possible form of protection on your PC, all of that protection is going to cause you as much grief as the “nasties” you are trying to protect against. Just look at Avast’s recent attack on attempts by Mozilla to quickly deal with Firefox issues. Software companies like Mozilla going to have to start testing their software with all of the protection software out there to ensure it isn’t mistreated.Oh no. That would be prohibitively costly. They will just leave it up to the user to deal with the mess.

    Be careful out there.

  4. John M said on October 22, 2016 at 1:52 am
    Reply

    Last time I read, anti-ransonware software still could not detect MBR-attacking malware.

    1. John W said on October 22, 2016 at 6:31 pm
      Reply

      No antivirus company would like to put themselves out of business. What happened to the antivirus hardware(chips) talked about 25 years ago.

  5. Tom said on October 22, 2016 at 8:14 am
    Reply

    exactly my thoughts…

  6. MA said on October 22, 2016 at 5:41 pm
    Reply

    I would like to install this, but I am curious if there are any compatibility concerns while using Bitlocker?

    1. Martin Brinkmann said on October 22, 2016 at 7:53 pm
      Reply

      I have not tried it. I would assume that there won’t be any, as it protects the MBR from modifications but does not alter it.

  7. ANARCHY said on October 23, 2016 at 7:30 pm
    Reply

    @SHAWN Anarchist cookbooks were text files, so no worries.

  8. Wolfy169Peter said on October 24, 2016 at 4:02 am
    Reply

    Ah!, the old Anarchist Cookbook, brings back many memories

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.