Protect MBR from ransomware

[Lion]

I am interested in this tool (MBRFilter) from Cisco. It is a free tool to protect the MBR from ransomware and it comes from a lab with an excellent reputation. Considering Lenovo customizes the MBR, I am concerned about using this tool. An MBR is usually 512 but the Lenovo MBR is 2048 bytes. I ran the mbrwizard and it confirms that my MBR is 2048. I have an x200, 7454CTO. W7/32.

http://blog.talosintel.com/2016/10/mbrfilter.html

Can I install this without corrupting the MBR on my system? I am not technically strong enough to test it and then recover the MBR if it causes any problems.

[rjwilmsi]

Well, if you want to take the risk averse approach I would use the Windows Backup feature within Windows Control Panel to create a full system backup (referred to as a "system image" in Windows 7 I believe) on a USB hard drive. If you want to test the recovery using that, I'd boot off a Windows 7 installation DVD and use the repair options to restore the image to another hard disk. Then I'd boot off that hard disk. If it all works then you have a full clone of your system on a second disk, you can then proceed to change your original installation safe in the knowledge that you have a full tested backup should it all go wrong. Downside of this is you need two extra disks, one to hold the backup and one to restore to, which need to be at least the size of your existing disk (strictly the size of your C:\ partition, as if you have free space you can first reduce the partition size to fit on a smaller disk).

Ultimately though I think the fundamental issue is that the vast majority of the malware out there targeted at PCs targets Windows, so if you're running Windows you can't completely mitigate that. So while this new tool might help one particular scenario, there could be dozens of other similar scenarios/risks not addressed. It's also worth considering that there could be security bugs in this new tool, so it could in fact create more risk than it removes (I've no idea on this specific one but the more you have installed the more things there are that could be insecure)

[Lion]

Thank you for your response.

I think protecting the MBR from low-life criminals is worthwhile. The tool only prevents them from changing your MBR. When they go after Windows, they encrypt your data so having full system backups and/or protection software can thwart them.

Today I found out that the tool protects the MBR from modifications but does not alter it. This is what I did not know and was concerned about. The customization remains.

I am going to install it.

[dr_st]

I guess that any extra defense is good defense, if it does not cause any inconvenience.

But whatever they can achieve with overwriting your MBR, they can do with directly encrypting your files, so you would have to keep a good backup policy either way.

[Puppy]

Weekly regular disk image backups are mandatory.

The best protection is to not use administrator account (better to use limited account than admin + UAC prompt) for routine work, setup proper SRP and apply security patches as soon as possible. It is free and provides real security.

The tool is just another device driver, no protection possible if you allow to run a malicious executable code with administrator or system privileges. Which reminds me this Lenovo story

[TonyJZX]

of all the things to be wary of, this is the least of concern

you're better off being proactive and not even using anything except whatever is bundled for free in windows

dont visit questionable websites from questionable countries

What I would do it I was being vigilant was to do all online shopping, email and online banking on a VM.

Seperate that out.

[SurrealMustard]

Common sense goes a long way in protecting all aspects of the system from ransomware and other types of malware. It's free and also my strategy of choice. Ad-blocking add-ons help too if you're an impulsive clicker (and speeds things up even if you're not).

[farmall]

For maximum protection, run Windows in a virtual machine on a Linux host. You can take a clean Snapshot in Virtualbox (a good basic virtualization solution) and a fresh install is a VM reboot away.

The best way to protect Windows is by running it as a guest OS, and if you are that interested in security learning a better host OS is not only easy, it's fun and doesn't cost a dime.

There is zero reason to surf the internet using Windows, so I use my Xubuntu hosts for communication and my Windows installs for running necessary Windows applications only. Windows will always be a popular target so the best strategy is not trying to play catch up when the initiative is permanently lost.

Qubes is a very interesting security solution which uses Xen. I'll give it a try when I've a spare hard disk to play with, but my current VMs on Xubuntu are totally painless to use, unlike inconvenient dual booting.

https://www.qubes-os.org/intro/

[duralon]

For maximum protection, run Windows in a virtual machine on a Linux host. You can take a clean Snapshot in Virtualbox (a good basic virtualization solution) and a fresh install is a VM reboot away.

The best way to protect Windows is by running it as a guest OS, and if you are that interested in security learning a better host OS is not only easy, it's fun and doesn't cost a dime.

There is zero reason to surf the internet using Windows, so I use my Xubuntu hosts for communication and my Windows installs for running necessary Windows applications only. Windows will always be a popular target so the best strategy is not trying to play catch up when the initiative is permanently lost.

Qubes is a very interesting security solution which uses Xen. I'll give it a try when I've a spare hard disk to play with, but my current VMs on Xubuntu are totally painless to use, unlike inconvenient dual booting.

https://www.qubes-os.org/intro/

Thanks for your reply! Very helpful