Advice Request Can Antiviruses Access the Places I Specify?

Please provide comments and solutions that are helpful to the author of this topic.

ciao

Level 1
Thread author
Nov 22, 2022
46
I'll make it simpler:

If the system is in LEGACY, Eset does not scan the MBR.
The LEGACY system is no longer used on new PCs and new OSs

If the system is in UEFI / EFI, Eset detects the changes (included in the protection against advanced threats) and can also scan and clean! :) (.EFI file that is scanned if you do a scan) .
This is a solution that has been integrated into Eset 8 from memory to counter the arrival of Bootkit (like TDL4 / Alureon) and other Ransomware MBRLocker .

I hope I was simple in my explanations :p
However, you told me at the beginning that if there is a change in LEGACY systems, ESET will detect it but cannot access it.

As far as I know my computer can switch from UEFI to LEGACY
 

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,247
I'm asking how can I detect and detect if the BIOS or boot of legacy systems is infected?

On an antivirus, it won't be possible.
Instead, use a rescue CD such as Medicat which has tools to rebuild the MBR, or repair it, but this is out of my competence.
 

ciao

Level 1
Thread author
Nov 22, 2022
46
On an antivirus, it won't be possible.
Instead, use a rescue CD such as Medicat which has tools to rebuild the MBR, or repair it, but this is out of my competence.
However, BIOS updates can be made on LEGACY systems, so doesn't that show that it's accessible?
 

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,247
However, BIOS updates can be made on LEGACY systems, so doesn't that show that it's accessible?

No. But if you rebuild, you can fix. But that's not in my skill set.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Recently in the news

Out of interest here's what the FinSpy UEFI malware is capable of
A sample of a UEFI bootkit that loaded FinSpy provided the team with clues to its functionality. The Windows Boot Manager (bootmgfw.efi) was replaced with a malicious variant, and once loaded, two encrypted files were also triggered, a Winlogon Injector and the Trojan's main loader.

FinSpy's payload is encrypted, and once a user logs on, the loader is injected into winlogon.exe, leading to the decryption and extraction of the Trojan.

If a target machine is too old to support UEFI, this does not mean it is safe from infection. Instead, FinSpy will target the system via the MBR. It is possible for the malware to strike 32-bit machines.

The spyware is capable of capturing and exfiltrating a wide variety of data from an infected PC, including locally stored media, OS information, browser and virtual private network (VPN) credentials, Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype recordings, and more.

On mobile, FinSpy will target contact lists, SMS messages, files in memory, email content, and GPS location coordinates. In addition, the malware can monitor Voice over IP (VoIP) communication and is able to rifle through content exchanged via apps including Facebook Messenger, Signal, Skype, WhatsApp, and WeChat.

The macOS version of FinSpy contains only one installer -- and the same applies to the Linux version. However, in the latter case, the infection vector used to deliver FinSpy is currently unknown, although it is suspected that physical access may be required.
Source: FinSpy surveillance malware is now spreading through UEFI bootkits

Paranoid? Ways to protect yourself
To protect yourself from such threats as FinFisher, Kaspersky recommends to:
  • Download your apps and programs from trusted websites.
  • Don’t forget to update your operating system and all software regularly. Many safety issues can be solved by installing updated versions of software.
  • Distrust e-mail attachments by default. Before clicking to open an attachment or follow a link, consider carefully: Is it from someone you know and trust; is it expected; is it clean? Hover over links and attachments to see what they’re named or where they really go.
  • Avoid installing software from unknown sources. It may and often does contain malicious files.
  • Use a strong security solution on all computers and mobile devices [..]

Some reasons to use UEFI over the legacy BIOS, especially for those on modern hardware that need it.
UEFI owns more advantages than BIOS, check these points one by one:
  • UEFI supports over 2.2 TB HDD or SSD. Traditional BIOS supports small partitions and drives.
  • UEFI has a detailed setting menu, more useful than traditional BIOS.
  • UEFI supports secure boot, preventing PC from being damaged by malware.
  • UEFI runs in 32-bit or 64-bit mode, and the addressable address space is increased based upon BIOS, the boot process is much faster.
  • UEFI has the big advantage of GUID Partition Table (GPT) it uses to launch EFI executables, it has no trouble in detecting and reading hard drives of large sizes.
Source: UEFI vs. BIOS: What's the Difference and Which is Better
 

ciao

Level 1
Thread author
Nov 22, 2022
46
Recently in the news

Out of interest here's what the FinSpy UEFI malware is capable of

Source: FinSpy surveillance malware is now spreading through UEFI bootkits

Paranoid? Ways to protect yourself


Some reasons to use UEFI over the legacy BIOS, especially for those on modern hardware that need it.

Source: UEFI vs. BIOS: What's the Difference and Which is Better
I was already infected with the virus without my own knowledge, I didn't have an antivirus installed, and I wasn't even there when the virus was infected. Currently I have not migrated to LEGACY myself. I know that when a BIOS virus or that computer is beyond my knowledge, with an intervention on the motherboard, or a BIOS or boot virus infected there can switch the system to LEGACY from my UEFI. Therefore, how can I be absolutely sure whether I have this virus or not? @Ink
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top