Windows Defender removes the bootloader from DiskCryptor
If your system disk is encrypted using DiskCryptor, the system may stop loading after updating the Windows Defender database to version 118.1.0.0 of 10/24/2017.
Defender defines the bootloader as Win32 / Tibbar.A and overwrites the MBR. DiskCryptor itself is defined as Trojan: Win32 / Rundas.B.
In the Windows Defender log, you can see the message:
It is clear that this is done to protect against Ransomware, which uses DiskCryptor as an encryption tool, for example, Mamba Ransomware , but in this case, ordinary users suffer from it as a means of protection.
')
At the moment I do not see any alternatives to the DiskCryptor loader, since it allows you to set various actions if the boot password is not entered for a certain time or is entered incorrectly. He also allows you to hide the text of the password request at boot time. And the process of creating a decoy system is much easier than in the same VeraCrypt. If you know the alternative to DiskCryptor with the same functionality, please share in the comments.
Update: Most likely, the addition of DiskCryptor to the anti-virus database is caused by the appearance of the Bad Rabbit trojan, an article on Habré .
Defender defines the bootloader as Win32 / Tibbar.A and overwrites the MBR. DiskCryptor itself is defined as Trojan: Win32 / Rundas.B.
In the Windows Defender log, you can see the message:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Ransom:DOS/Tibbar.A&threatid=2147724200&enterprise=0
Name: Ransom:DOS/Tibbar.A
ID: 2147724200
Severity: Severe
Category: Trojan
Path: boot:_\Device\Harddisk0\DR0\(MBR)\(MBR)
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: Unknown
Signature Version: AV: 1.255.60.0, AS: 1.255.60.0, NIS: 118.1.0.0It is clear that this is done to protect against Ransomware, which uses DiskCryptor as an encryption tool, for example, Mamba Ransomware , but in this case, ordinary users suffer from it as a means of protection.
')
At the moment I do not see any alternatives to the DiskCryptor loader, since it allows you to set various actions if the boot password is not entered for a certain time or is entered incorrectly. He also allows you to hide the text of the password request at boot time. And the process of creating a decoy system is much easier than in the same VeraCrypt. If you know the alternative to DiskCryptor with the same functionality, please share in the comments.
Update: Most likely, the addition of DiskCryptor to the anti-virus database is caused by the appearance of the Bad Rabbit trojan, an article on Habré .
Source: https://habr.com/ru/post/340940/
All Articles