 |
||
MBR Protectors & RB Rx
|
||
|
|||||||
This is a discussion on MBR Protectors & RB Rx within the RollBack Rx forums, part of the Disaster Recovery Programs category; Hi All Just a little question for the wise bretheren out there. With the rise of MBR infecting malware, a ...
 |
|
|
LinkBack | Thread Tools | Display Modes |
12-29-2011, 02:29 AM
|
|||
|
|||
MBR Protectors & RB Rx
Hi All
Just a little question for the wise bretheren out there. With the rise of MBR infecting malware, a la TDSS, etc., which install themselves silently at boot time and before many of the more 'regular' AV solutions are able to intercept them, it would seem sensible to look at protecting the MBR for the period from start up to the point when the resident AV/AM software kicks in. There are some apps out there, ie, nProtect, which is new onto the market, and I was wondering how these would 'play' or not with RB Rx. My understanding is that this type of app will prevent anything writing to the MBR and I assume that once RB RX has adjusted the MBR to suit it purposes at install, there would be no further need for RB Rx to write to the MBR in its normal operation...so therefore, if I am correct, this sort of app should co-exist nicely with RB Rx and protect it so that it can function correctly, ie, provide the pre-boot options to select & load a snapshot, etc.? So, any thoughts welcome on this topic. Regards Balders 
|
|
12-29-2011, 03:04 AM
|
|||
|
|||
|
Hi Baldrick
 , Not sure about the 'wise' bit but, I remember testing out a free app called MBRGuard which did seem to do the job and didn't cause any problems with RB as I remember. I've just looked it up again and it seems that it is no longer available as a separate item and is now part of AppGuard which is a commercial app. One thing I would strongly recommend is getting a copy of the latest MBRWizard. For $6.99 USD you can back up your MBR/Track 0 in case of issues. But, on top of that, you get a WinPE boot disc creator which simply allows you to add any apps you like which can run from a custom directory on the CD. I have one set up which has the following all available from the CD: Drive Snapshot Image For Windows Q-Dir SIW TreeSize Pro I've got no connection with the developer but the support was also excellent when I asked a question recently .Graham
|
|
12-29-2011, 03:26 AM
|
|||
|
|||
|
Hi Graham
Hope that you are well? Thanks for the reply. I too recall flirting with MBRGuard way back before it was integrated into App Guard...and then I flirted with AppGuard...but never went further than that. Thanks for the tip re. MBRWizard. Will take a look and if it is as good as you say then I may well offer myself a New Year present.  In terms of MBR protesction I am following up on nProtect...which is Korean, as yet not tramslated into English, but may hold some promise as an MBRGuard replacement...but it is very early days (based on what has so far come up in the discussions over at Wilders). If anything interesting develops I will post back on this. BTW...was my view of RB Rx & MBR correct, ie, "... once RB RX has adjusted the MBR to suit it purposes at install, there would be no further need for RB Rx to write to the MBR in its normal operation"? I think that this is the key to whether any MBR protection software will play nicely with RB Rx. Regards Baldrick
|
|
12-29-2011, 09:03 AM
|
|||
|
|||
|
RB simply doesn't detect malware so imho an RB system without anti-malware software is totally vulnerable. Even if you suspect that you have been infected, rolling back to a prior snapshot won't always 'save the day'.
As Graham pointed out, the old MBRguard (aka, btguard.sys) did work very well on WinXP (32-bit) and did not conflict with RB, but even if you can still find a download host I'm not too sure about its compatibility with other versions of Windows. While not a means of prevention, insofar as detecting and removing bootkits and rootkits, I highly recommend TDSSkiller (freeware from Kaspersky which is updated on a regular basis). And for real-time rootkit detection, you may want to consider WinPatrol (for about $20US). pv
__________________
Rollback Rx + Drive Snapshot => Failsafe! Last edited by pvsurfer; 12-29-2011 at 09:37 AM.
|
|
12-29-2011, 10:39 AM
|
|||
|
|||
|
Hi Baldrick,
Yes, keeping well thanks .Funnily enough, MBRGuard worked so well that I'd forgotten it was installed until I had a problem uninstalling RB as it reported 'Failed to update MBR'. I then had to get the RollBack Remover program from support to clean things up after uninstalling MBRGuard. But this was all of my own doing and I didn't experience any problems while it was installed. I found some references to a V3 MBRGuard which is currently in Korean and due to be translated. It is promoted by nprotect.com but I'm not sure if this is a development of the previous version or if it is completely different software doing the same job. Thanks for the info on WinPatrol, pv. That looks interesting as well. I have used TDSSkiller on a couple of friends PC's and it worked very well. Graham
|
|
12-29-2011, 10:42 AM
|
|||
|
|||
|
Hi pvsurfer
Thanks for the reply. Just to clarify...I have antimalware apps running a plenty, supplemented by on-demand apps including TDSSkiller, and they do a good job...but it is the latest MBR-specific rootkits and the fact that they hit you before the AM apps kick in, that has prompted the question about MBR Protection/RB Rx compatability. Hence why I am looking with interest at nProtect as it seems, at least at this stage, like an MBRGuard replacement (but only time will tell). Would probably buy AppGuard if I want all elements of its protection but most of what it does I have covered with something else. But thanks again for contributing. Regards Balders
|
|
12-29-2011, 10:47 AM
|
|||
|
|||
|
Hi Graham
Glad to hear it...that you are well, that is. So you have a copy of MBRGuard...I assume? But I suspect that pvsurfer is correct and that it most probably does not work with Win7, and especially 64bit versions. The Korean software is the same one that I am looking at (and I am hoping that they will translate shortly). I am keeping tabs on its progress through a thread over at Wilders...so this could be interesting. If I come across anything significant on that front I will post back here. Regards Balders
|
|
12-29-2011, 11:02 AM
|
|||
|
|||
|
Quote:
pv
__________________
Rollback Rx + Drive Snapshot => Failsafe!
|
|
12-29-2011, 11:11 AM
|
|||
|
|||
|
Hi PV
How very true what you say is. I also periodically scan with AVZ & CCE but it would be good to close the door before the nasty has got in rather than fixing the damage afterwards. Hi Graham Have taken a look at MBRWizard Suite...and bought a copy...6.99$ seems to be a steal for what it can do. Great little resource and should prove very useful in case the latter (above) occurs because I cannot do the former (again above). Thanks for the tip. Much appreciated. Regards to you both. Balders
|
|
12-29-2011, 11:36 AM
|
|||
|
|||
|
I've just tried out V3 of MBRGuard on a Windows 7 64-bit system. My Korean isn't up to much but I reckon the menu consists of something close to:
Go to Homepage Protect MBR Start with Windows About Quit There, consider it translated . Just kidding, but there's obviously not a lot to translate.MBRGuard.jpg I haven't tested it out but at least it seems to run ok .Graham ps ****Don't try this at home without backing up first!****
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
