How to: Uninstall MBRFilter?

2017-08-30T03:03:27
ID PENTESTIT:25698541F2CC411CA14578CFFFAA9075
Type pentestit
Reporter Black
Modified 2017-08-30T03:03:27

Description

PenTestIT RSS Feed

If you remember about my older post about the open source tool to protect against MBR infections - MBRFilter. All of a sudden one of my test machines started dying with the famous BSOD. I was able to recover from the error as I figured the error was with MBRFilter.sys. However, I saw that there are no clear instructions on uninstalling the driver. This post tells you how do to uninstall MBRFilter completely from your system.

MBRFilter

But before we do that, bit of a recap.

What is MBRFilter?

> MBRFilter is a simple disk filter designed by Cisco Talos to block write access to the Master Boot Record (MBR). The MBR is used to store information related to how the storage device is partitioned, as well as details regarding the file system configuration on the device. MBRFilter prevents rootkits, bootkits, and ransomware, such as Petya Ransomware, from overriding the operating system’s (OS) boot loader. MBRFilter, once installed, requires the system to boot in Safe Mode to enable write access to make changes to the device. This prevents malicious software from writing to or modifying the contents of this section of the machine or any disks connected to the system.

As a matter of factly, this is written on the Cisco Talos page - "MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments." - and I completely get it. However, this is the way to uninstall MBRFilter:

As I mention in my previous post, MBRFilter is written to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\UpperFilters

On a clean system that does not have MBRFilter installed, this is how the registry entry looks:

MBRFilter-Not-Installed

The installation code in MBRFilter.inf takes care of this installation as:

[MBRFilter.AddReg]
HKLM, System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}, UpperFilters, 0x00010008, MBRFilter

This is how the entries look like after you install using MBRFilter.inf:

MBRFilter-Installed

All you need to do before you reboot your system is to delete the MBRFilter entry from the UpperFilters key so that it looks like this again:

Uninstall MBRFilter

You can now safely reboot the system and delete the actual driver from: [drivename]:\Windows\system32\drivers\mbrfilter.sys

The post How to: Uninstall MBRFilter? appeared first on PenTestIT.