⬆️ ⬇️

Windows Defender removes the bootloader from DiskCryptor

If your system disk is encrypted using DiskCryptor, the system may stop loading after updating the Windows Defender database to version 118.1.0.0 of 10/24/2017.



Defender defines the bootloader as Win32 / Tibbar.A and overwrites the MBR. DiskCryptor itself is defined as Trojan: Win32 / Rundas.B.



In the Windows Defender log, you can see the message:



Windows Defender has detected malware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Ransom:DOS/Tibbar.A&threatid=2147724200&enterprise=0

Name: Ransom:DOS/Tibbar.A

ID: 2147724200

Severity: Severe

Category: Trojan

Path: boot:_\Device\Harddisk0\DR0\(MBR)\(MBR)

Detection Origin: Local machine

Detection Type: Concrete

Detection Source: System

User: NT AUTHORITY\SYSTEM

Process Name: Unknown

Signature Version: AV: 1.255.60.0, AS: 1.255.60.0, NIS: 118.1.0.0




It is clear that this is done to protect against Ransomware, which uses DiskCryptor as an encryption tool, for example, Mamba Ransomware , but in this case, ordinary users suffer from it as a means of protection.

')

At the moment I do not see any alternatives to the DiskCryptor loader, since it allows you to set various actions if the boot password is not entered for a certain time or is entered incorrectly. He also allows you to hide the text of the password request at boot time. And the process of creating a decoy system is much easier than in the same VeraCrypt. If you know the alternative to DiskCryptor with the same functionality, please share in the comments.



Update: Most likely, the addition of DiskCryptor to the anti-virus database is caused by the appearance of the Bad Rabbit trojan, an article on Habré .

Source: https://habr.com/ru/post/340940/



All Articles