Endpoint Protection

 View Only
  • 1.  Does SEP14 protect MBR

    Posted Jul 27, 2017 09:17 AM

    Hello,

    my client has a questions: does Client SEP14 protect MBR? And asks to show him where these settings are. What can I say to him?



  • 2.  RE: Does SEP14 protect MBR

    Posted Jul 27, 2017 09:23 AM

    Not to my knowledge nor has any version of SEP.

    You'd need to use one of their additional tools such as SymDiag, which does a Threat Analysis Scan that can scan for rootkits or the Norton Bootable Recovery Tool.

    Additionally, you can collect the MBR and submit to Symantec if you think it's been compromised:

    http://www.symantec.com/docs/TECH93277



  • 3.  RE: Does SEP14 protect MBR

    Posted Jul 27, 2017 10:18 AM

    It is very strange. But apparently it is. Recently the virus PetyaA damage MBR on a large number of hosts with SEP12.1.6. I think this is a big flaw of Symantec.



  • 4.  RE: Does SEP14 protect MBR

    Posted Jul 27, 2017 03:05 PM

    To my knowledge no anti-virus has protection mechanism for MBR. end of the day any AV is just another program running on top of OS.



  • 5.  RE: Does SEP14 protect MBR

    Broadcom Employee
    Posted Jul 27, 2017 06:20 PM

    Hello AndreyP,

     

    AutoProtect ( Realtime scanning) does not scan the MBR, however running a Full manual or schedule scan will scan the MBR.


    Thanks,

     


     



  • 6.  RE: Does SEP14 protect MBR

    Posted Jul 27, 2017 06:35 PM

    Yes, but, from what I've seen, SEP can't/won't take corrective action on the MBR, which I understand why. A good example is with Tidserv. SEP would alert that the infection was present and IPS would block outbound connection attempts but it could never remove it.

    Has that changed in 14?



  • 7.  RE: Does SEP14 protect MBR

    Posted Jul 28, 2017 03:57 AM

    Is there somone from development team at the forum who can answer this questions?



  • 8.  RE: Does SEP14 protect MBR

    Broadcom Employee
    Posted Jul 28, 2017 11:44 AM

    Hello Brian,

    I am not sure how TIdserv infects the MBR, though it looks like it installs a rootkit, in which case you would need to run a power eraser scan with rootkit detection from the SEPM 

    Hello AndreyP,

    Correction,

    For phyiscal attached non-removable hard disks, AutoProtect does in fact detect MBR infections and the action is to clean( Cannot be changed).


    For Removable disks ( usb, floppy, etc) the actions are based on the AutoProtect > Advanced Scanning and Monitoring> Floppy Setting.

    Though you may need to run a full system scan to repair the MBR.


    Please be aware that depending on the type of MBR threat and what changes it makes to the MBR  a repair from SEP may not be an option, in which case you would need to run fixmbr from a windows recovery dvd

    Thanks,