MBRFilter Logo
SHA256: 3696aaa457d611eb1843fa7ab9b2235ab09b4af7f4ba09c7b56603e87a5551e3

SHA256: a1aa4c59258f3459fb9612eea81c3805ba23e2bd8ff28bad5cf40c94c099fd19

MBR Filter

MBR Filter is a simple disk filter designed by Cisco Talos to block write access to the Master Boot Record (MBR). The MBR is used to store information related to how the storage device is partitioned, as well as details regarding the filesystem configuration on the device. MBR Filter prevents rootkits, bootkits, and ransomware, such as Petya Ransomware, from overriding the operating system’s (OS) boot loader. Ransomware, like Petya, overwrite and encrypt the victim’s Master File Table (MTF) to coerce them into paying for an encryption key.

MBR Filter, once installed, requires the system to boot in Safe Mode to enable write access to make changes to the device. This prevents malicious software from writing to or modifying the contents of this section of the machine or any disks connected to the system. MBR Filter enables users to effectively protect their systems from various malware families and disrupts the operations of cyber criminals, making their malware ineffective. Talos offers the MBR Filter in two formats usable on Windows based systems: open source which can be used and modified by anyone and a precompiled, signed driver executable that can be installed.

MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments.

*Note - This tool is not officially supported and the user assumes all liability for the use of this tool.