Stop ransomware infecting your MBR with MBRFilter

Cisco’s Talos Group has released MBRFilter, a Windows disk filter which prevents malware overwriting a drive’s Master Boot Record (MBR).

This can stop some ransomware variants -- Petya, Satana -- from installing and taking full control of your PC. Installation is straightforward. Well, mostly. Download the 32 or 64-bit version as appropriate for your PC, unzip the file, right-click MBRFilter.inf and select Install. Reboot when you’re asked.

This worked well in our first tests, preventing all automatic and manual write attempts. There’s no doubt it adds a useful layer of protection to your PC, but there are also some issues.

One potentially big catch, if you’re not paying attention, is that installing the wrong version (32-bit on 64-bit Windows) may prevent your system from booting. At all. And because MBRFilter works at the driver level, none of the usual Safe Mode, /fixmbr or other repair tricks will work.

A more minor hassle is that you might legitimately need to rewrite an MBR to initialize a new drive, or maybe set up an operating system. MBRFilter prompts you to try the operation again in Safe Mode, and Talos offers more thoughts in the Readme:

This can cause an issue when initializing a new disk in the Disk Management application. Hit ‘Cancel’ when it asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitioning/formatting

Another issue is that MBRFilter has no interface, no temporary "disable" feature or bundled "uninstall". The only way to remove the filter is to go to HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318} and remove it from the UpperFilters key.

Even this needs treating with caution. UpperFilters will probably look like “partmgr MBRFilter”, but whatever it contains, make sure you remove only the "MBRFilter" part. Delete anything else, or the entire key, and again you might find your PC won’t start.

Despite that, MBRFilter does valuable extra protection that will keep you safe from a whole class of malware. But the various issues involved mean it’s best installed by experienced users who understand the potential problems, and how to deal with them.

MBRFilter is an open-source disk filter for Windows Vista and later.