WARNING: if used incorrectly, MBRFilter can prevent your system from booting. Don't use it unless you're 100% sure you understand all the issues, and your computer is fully backed up.
When your PC boots it first loads the contents of your system drive's Master Boot Record (MBR). This contains information which enables the computer to find your drive partitions, and start to load the operating system.
Malware will sometimes try to replace the MBR with its own code. If successful this enables it to load before Windows, making it much easier to avoid detection and maybe (for ransomware) block access to your files.
MBRFilter is a simple disk filter which prevents software writing to sector 0 (aka the MBR or "master boot record") on storage devices. If malware tries this, it's much less likely to work, and when you reboot the malicious code won't be able to take control.
To install the program, download the 32 or 64-bit version as appropriate, unpack it, right-click the INF file and select "Install". NOTE: INSTALL THE WRONG VERSION - 32-bit on 64-bit Windows, say - AND YOU MAY FIND YOUR COMPUTER WILL NO LONGER BOOT. BE CAREFUL!
There is no obvious way to remove MBRFilter or temporarily disable it, which may cause problems if you need to initialise a new disk or set up an operating system. The program prompts you to try your operation again in Safe Mode, though, and the developer also suggests:
"This can cause an issue when initializing a new disk in the Disk Management application. Hit 'Cancel' when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitioning/formatting."
To remove MBRFilter, go to this Registry key:
The UpperFilters key should be something like "partmgr MBRFilter" (it may refer to other filters as well).
Remove "MBRFilter" but leave the rest of the key unchanged ("partmgr", or whatever else it was originally). Be careful here-- delete something else and you may find your system refuses to boot at all.
Reboot and your system should be back to normal. There's an MBRFilter.sys file left in the \Windows\System32\Drivers folder and you can remove that if you like, but it won't have any effect once the Registry reference has been removed.
Overwriting the MBR is a common malware trick, and MBRFilter provides a quick and easy way to keep your system safe. But, there are also down sides.
- Making a mistake with the version (installing 32-bit on 64-bit Windows) could make your PC unbootable. Safe Mode, Windows Repair and /fixmbr won't have any effect.
- If you have some legitimate need to rewrite an MBR, perhaps to initialize a new hard drive or install an operating system, you'll be prompted to do so in Safe Mode. This may not be possible in every situation.
MBRFilter's protection is still worth having, but only for experienced users who understand its issues and are able to deal with them.