"MBR" ransomware is indiscriminate. It does not differentiate between MBR or GPT. Therefore, it can damage the GPT and cause problems.
Fabian wrote about this somewhere.
Anyone using MBRFilter?
- Thread starter AtlBo
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
"MBR" ransomware is indiscriminate. It does not differentiate between MBR or GPT. Therefore, it can damage the GPT and cause problems.
Fabian wrote about this somewhere.
- May 9, 2017
- 145
I experienced the same thing during testing Ransom0ff on Windows 10 that I installed on purpose to Legacy. Always quick on the draw to delete after removing the KEY (Ransom0ff also employs an MBR upper filter) with an alternate route to get to the system I was greeted the same way.
Had to resort to an image restore. HeiDef later explained my rookie mistake in doing that. Had a crash on one of the early betas and thought it would be a breeze but turned out BLUE of course.
Those guys who drew up and released MbrFilter, if they are such a whiz doesn't it make you wonder why they didn't do a better job to help these poor folks like Windows_Security is just done in this thread for some?
Had to resort to an image restore. HeiDef later explained my rookie mistake in doing that. Had a crash on one of the early betas and thought it would be a breeze but turned out BLUE of course.
Those guys who drew up and released MbrFilter, if they are such a whiz doesn't it make you wonder why they didn't do a better job to help these poor folks like Windows_Security is just done in this thread for some?
- Mar 13, 2016
- 1,298
OK, duoble click the UpperFilters registry key, it will show a pop-up with multiple values in it
Remove the value MBRFilter, in the UpperFilters key (so not the actual key itself, when you remove the UpperFilters key, you will remove other values as well, which causes the BSOD).
it should be in the list of the displayed values. Don't touch other values. Post a picture again when you are unsure.
Remove the value MBRFilter, in the UpperFilters key (so not the actual key itself, when you remove the UpperFilters key, you will remove other values as well, which causes the BSOD).
it should be in the list of the displayed values. Don't touch other values. Post a picture again when you are unsure.
- Aug 22, 2013
- 815
Thanks a lot...did removed the key from "UpperFilters" successfully this time.No BSOD.... With Mbr filter running RUFUS was a task in itself...thanks again for saving my life.
This is the original key value on default Windows 10 1703 before Cisco\Talos MBRFilter is installed (to return the sub-key back to its original value simply delete "MBRFilter diskpt" and leave just "partmgr" remaining):
- Dec 29, 2014
- 1,711
Thanks for all the input. Maybe I'll try this soon. Only one question. If I partition with MBR Filter in place, am I asking for trouble?
- May 31, 2017
- 42
Is there an option to disable the MBR protection? If so, then do that before partitioning and then re-enable it. That way you never have to estimate and find out a surprise result.
- Dec 29, 2014
- 1,711
@Visa thanks. I'll create a clean image backup before I install MBR Filter and then try it and see what options are available. Great to have this thread for a reference to remove it so thanks for all the posts and input to everyone
- May 9, 2017
- 145
Thank goodness it's back to running right again.
How about that Windows_Security? What I can't figure is why developers like for mbrFilter just be outright clear about the uninstall in the first place for users so they don't get trapped into this ordeal.
- Aug 22, 2013
- 815
Yes, The developers should have provided at-least correct information about the uninstall procedure. If some one does go by their instruction, the result will not be pleasing to eye..
Dev should at the very least say in plain english "delete this text" then give the exact text to delete IMO
with the current instructions, it makes it a guessing game once you have installed it already and look for uninstall instructions after that
better instructions would be to show screenshot of what it looked like BEFORE installation, and then AFTER installation too
then it is perfectly clear which text to delete and what it should look like (should look like it did before installation)
thanks to the members in this thread who made it clear for all
and that the screenshot was uploaded to MalwareTips forums itself, which means it won't disappear after some time
with the current instructions, it makes it a guessing game once you have installed it already and look for uninstall instructions after that
better instructions would be to show screenshot of what it looked like BEFORE installation, and then AFTER installation too
then it is perfectly clear which text to delete and what it should look like (should look like it did before installation)
thanks to the members in this thread who made it clear for all
and that the screenshot was uploaded to MalwareTips forums itself, which means it won't disappear after some time
- May 9, 2017
- 145
- Jun 22, 2014
- 717
Good day. I am from Ukraine, and since last week we have had problems with the grievous virus Petya. So, for the future, to protect against such threats since yesterday, I started using the MBRFilter. Today, 2 hosts were found, Windows 7 x64, which had problems with flash drives, namely, they were in the system without working drivers. After shutting down the MBRFilter all worked. In the system logs there are such entries as "Failed to load the driver \ Driver \ MBRFilter for USBSTOR \ Disk & Ven_Kingston & Prod_DT_101_G2 & Rev_1.00 \ 001CC0EC348AFD109B263D63 & 0.". After disabling the MBRFlitter, the entry changed to "Failed to load the driver \ Driver \ WUDFRd for the WpdBusEnumRoot \ UMB \ 2 & 37c186b & 0 & STORAGE # VOLUME #_ ?? _ USBSTOR # DISK & VEN_KINGSTON & PROD_DT_101_G2 & REV_1.00 # 001CC0EC348AFD109B263D63 & 0 #." Can you advise in which direction to look for a solution?
- Status
Similar threads
