could cis protect us from mbr virus?

hi,have a question,could cis protect us from mbr virus?anybody have some imformations about that?
thank u,

Yes if an unknown executable tries to modify the MBR then either Defense+ will warn about Direct Disk Access if only using the HIPS, or when using the sandbox the modification will be contained inside the sandbox.

Hello,

CIS protects you from any malicious and unknown file with the help of the Containtment Technolody. Please kindly check the details from the link: https://containment.comodo.com/

Kind Regards
Buket

i just have heard in the past that if a computer’s mbr were infected a lot of antivirus softwares can not delete virus from the mbr even if they can detect the virus at the mbr,is that true? and how about comodo on this issue?

Hello again,

If you dont use CIS on your computer and you have infection on MBR, I would suggest you to use Comodo Cleaning Essentials ; a free tool to clean malicious files. It is able to detect viruses and cure MBR as well.

For your information

Kind Regards
Buket

but how about if i use cis on my computer without activating Comodo Cleaning Essentials?in this condition,could cis detect virus at mbr and then crue mbr if the mbr was infected before?
thank u,

No, CIS and other normal AV scanners won’t detect a MBR infection/virus. Use of specially designed scanners such as CCE or other advanced scanners is required to scan for and clean the MBR.

where have u heard that cis won’t detect a mbr infection/virus?(can u explain that in more details?)and i am not sure about what do u imply by “other normal av scanners”.however, known as i know that kaspersky can detect mbr infection/virus.and here is the what i have heard from their site:

Yes, I have a modified MBR due to having a dual boot setup and when I perform a scan with CIS I don’t get any warning unless I perform a scan using CCE with scan for MBR modifications setting enabled. This is because CIS does not scan using low-level direct disk access.

and i am not sure about what do u imply by "other normal av scanners".however, known as i know that kaspersky can detect mbr infection/virus.and here is the what i have heard from their site: https://securelist.com/analysis/36252/bootkit-2009/
There are two ways for anti-virus to scan file on a disk, one way using normal WinAPI functions to create/open a handle to each individual file/folder and reading/scanning the contents of the file. The other way is by accessing/scanning the disk directly via direct disk access which is done by opening a handle to \Device\HardDisk0\Dr0 which allows scanning a disk at the lowest level within windows. When an av scans using only the first method then that's what I consider a "normal av scanner" whereas an advanced scanner is one that either a) scans using direct disk access or b) is a standalone specialized tool to detect/clean a specific malware. I was unaware that kaspersky actually uses both methods because just like in the article you listed, most AV's didn't/don't scan the MBR because it was thought that MBR infections were no longer a threat. Another form of an advanced scanner are those that are specifically designed to detect and remove specific malware e.g. TDSSKiller,SalityKiller,etc. and then theirs the rescue disks that many av companies release to scan for and remove both traditional and advanced malware like bootkits and rootkits.

the word “protect” is what?

Keep a clean computer clean by preventing an MBR virus from infecting the computer? (CIS will do the trick here)
OR
Existing MBR infection on a computer that you want to clean? (CCE will do the trick here)…

I just had a thought but didn’t think it worthy of its own thread, would GPT disks be vulnerable to MBR malware, if no, are there equivalent malware specific for GPT disks?

According to GUID Partition Table - Wikipedia no as the MBR is considered ‘protected MBR’ referenced by this

Traditionally, in IBM PC compatible systems the first sector of the disk holds the Master Boot Record (MBR), containing the drive’s partitioning information and the code of the first stage boot loader for BIOS-based systems. For limited backward compatibility, this sector is still reserved for an MBR in the GPT specification, but it is now used in a way that prevents MBR-based disk utilities from misrecognizing and possibly overwriting GPT disks. This is referred to as a protective MBR

so u imply that the scanner of cis would not scan the mbr of a hard disk while the scanner of cce would do that job???i once also confused about why cce and cis both have a scanner,and is there some difference between these 2 scanners.i saw a thread about this topic in this forum,but there are different answers to it in the thread.and i am not sure which one is right.
https://forums.comodo.com/news-announcements-feedback-cce/ccecis-t86653.0.html

Hello,

CIS provides you %100 protection on a clean PC. Incase of an infection, ofcourse you can make a scanning with CIS and detect malwares . For MBR cases, if you did not use CIS and get an infection, then we recommend you to make a deep cleaning with the dedicated CCE tool which is able to cure MBR .

For your information

Buket

well,i can fully understand cis provide 100% protection on a clean pc and i can also understand that cce can be used to clean existing MBR infections.what i can not understand is could cis(in the case without activating cce ,as cce is now also a part of cis) also detect existing MBR infections and then crue the mbr?
thank u,

No as stated earlier, CIS can’t/won’t detect or clean an already existing infected MBR, you would need to use comodo cleaning essentials or comodo rescue disk to scan for and clean an infected MBR. CIS would be used to prevent a MBR infection.

well,as i have asked u ealier where u have heard that cis never detects a mbr infection,u answered me that u have a modified mbr( due to having a dual boot setup) scanned by cis and get no warning at all unless u scan your computer by cce(with scan for MBR modifications setting enabled).so u made the conclution that cis never detects a mbr infection,right?
here i must point out :" the evidence u collected does not fully support the conclution you made,it only fully supports the conclution that cis never detects mbr modifications."since the mbr modification( due to having a dual boot setup) is not a mbr infection and as a security software cis does not have the obligation to detect it.that’s just why i can not agree with u right now to make the conclution that cis never detects mbr infections.personally ,i am still pretty neutral on this issue.on one side,i have never heard that cis never detects existing MBR infections from comodo before .and on the other side,since i started the thread,no matter Melih or BuketB, they also have never said it directly that cis never detects exsisting mbr infections.
BuketB once said :"If you dont use CIS on your computer and you have infection on MBR, I would suggest you to use Comodo Cleaning Essentials ; a free tool to clean malicious files. It is able to detect viruses and cure MBR as well. "what does that imply?does it imply “if i do use cis on my computer and i have mbr infection,he would no longer suggest me to use cce as cis can also be used to detect mbr infections and crue mbr.”?
in a word,i just wish to recieve a clear message from comodo wether cis (in the case without activating cce ,as cce is now also a part of cis) can detect exsisting mbr infections or not.
thank u,

Correct.

here i must point out :" the evidence u collected does not fully support the conclution you made,it only fully supports the conclution that cis never detects mbr modifications."since the mbr modification( due to having a dual boot setup) is not a mbr infection and as a security software cis does not have the obligation to detect it.that's just why i can not agree with u right now to make the conclution that cis never detects mbr infections.personally ,i am still pretty neutral on this issue.on one side,i have never heard that cis never detects existing MBR infections from comodo before .and on the other side,since i started the thread,no matter Melih or BuketB, they also have never said it directly that cis never detects exsisting mbr infections.
If CIS doesn't detect a modified MBR from a dual boot configuration how would it detect an actual infected MBR? Surely it would warm of a possible infection if CIS was able to scan the MBR, but seeing as how CCE did at least reported a modified MBR, but not CIS is evidence alone that CIS doesn't scan the MBR no? Combine this with the fact that there is no options within CIS to scan the MBR or boot sector which is where the MBR resides, but CCE specifically has an option on the scan selection screen "Critical areas and Boot Sector". Finally if you were to compare a full scan with CCE and CIS with windows resource monitor opened and select the Disk tab you will notice cavwp.exe which is the scanner of CIS never opens a file handle to the windows device object: "\Device\Harddisk0\DR0" but CCE does. In order to access the MBR or boot sector of a hard drive a process must access the disk directly by opening a file handle to \Device\Harddisk0\DR0.
BuketB once said :"If you dont use CIS on your computer and you have infection on MBR, I would suggest you to use Comodo Cleaning Essentials ; a free tool to clean malicious files. It is able to detect viruses and cure MBR as well. "what does that imply?does it imply "if i do use cis on my computer and i have mbr infection,he would no longer suggest me to use cce as cis can also be used to detect mbr infections and crue mbr."?
No, you would still need to use CCE to clean an infected MBR whether you use CIS or not. CIS is meant to [b]prevent an infection[/b] either a MBR infection or some other type of malware infection, whereas CCE is used to [b]clean an existing infection including an MBR infection[/b]. Even Melih implied this statement [quote="Melih post:10, topic:306284"] the word "protect" is what?

Keep a clean computer clean by preventing an MBR virus from infecting the computer? (CIS will do the trick here)
OR
Existing MBR infection on a computer that you want to clean? (CCE will do the trick here)…
[/quote]

in a word,i just wish to recieve a clear message from comodo wether cis (in the case without activating cce ,as cce is now also a part of cis) can detect exsisting mbr infections or not. thank u,
CCE is only "a part of CIS" by having the option to open CCE or Killswitch within the interface under advanced tasks, but CCE is still a standalone tool that you must click to agree & install when clicking on clean endpoint or watch activity for the first time.