8 Replies Latest reply on Jan 4, 2015 9:15 AM by SafeBoot

    MBR and Safeboot (EPO)

    iamconcerned

      If you are a McAfee employee, I am looking for a thoughtful and mindful reply, not a quick and dirty one (like, “yes, there are two MBRs”).

      I am in a corporate environment where Safeboot is used to encrypt the drive and to log in with a single-sign-on.  I am trying to determine if there is a hidden boot record.  I know, as do you, that Safeboot will create its own boot record (the terminology used is “it replaces the existing MBR”).

       

      That's what the documentation states.  My question is this: are there supposed to be two boot records or just one?  I see two.  The first, or primary partition appears to be  Safeboot's.  I'm thinking this primary partition boots up and makes some self-checks, for example, that its own boot sector and boot data that lives in that primary partition has not been compromised.  If so, I can't trust it because this code can be compromised and it is not encrypted (at the very least, the boot sector itself is not encrypted or the extended boot sectors it must load in are not encrypted -- all of which I do not care to disassemble).

       

      So I boot up and feel unsafe (in addition to experiencing other suspicious symptoms). I used a variety of tools to check the master boot record and some of these are highly regarded and complain there is a "hidden MBR" or "bad MBR" in the sense that they either (a) aren't able to deal with an encrypted drive and these boot sectors and/or dual partitions when perhaps there should only be one, (b) they are often spot on. 

       

      The tools are undisclosed but they are mainstream and highly regarded. Note TDSSKILLER is not among them (it does not complain).  ASWMBR is and complains.   Others complain.  I am not here to discuss the merits and/or reputation of these tools, including Stinger, etc.  I *AM* here to say that from all the documentation and a phone call to McAfee (who said the answers are under Non-Disclosure) I see a frightening situation. I am not able to disruptively walk about to other client machines and see if they have the same results.  If they did, then I would still be concerned they are *all* infected.  I always seek quality answers to reduce my work/analysis.

       

      I cannot run tools while the operating system is running because the “bad guys” who write such MBR bootkit  (if there is such a bootkit/virus on my PC) have learned how to fake the return values to make you think all is well (at least they do this while they are zero-day in nature).  So a tool has to be run from a live CD.  Yet I report to you my concerns while running in the operating system (Windows 8.1). 

       

      The MBR Partitions are MBR, not GPT.

       

      I asked McAfee if there was a tool I could run on a live CD (BartPE, etc.) that simply checks the disk for the portion that is supposed to be unencrypted, namely the boot sectors.  They said there wasn’t one as far as they knew.

       

      It is not good to trust the Safeboot self-proclaimed  “we check ourselves to make sure we have not been compromised” statements.  That’s like trusting any AV product to detect zero-day viruses which is, by definition, impossible.

       

      It is not good to ask me to run a repair of the MBR and/or it’s boot sectors and/or the code the boot sector(s) point to. That is sweeping the problem under the rug and NOONE learns anything.  And the instructions for Encryption protection repair are complex and prone to risk.

       

      A tool on a bootable CD is needed that is simple and effective.  Yes, it could only look at unencrypted data but that would be a start (getting the operating system out of the picture).

       

      It is also un-wise to be in non-disclosure about these matters.  To think the “bad guys” will not figure it out eventually is foolishness.  I am not talking about they seeing my encrypted data, I am talking about them infecting my system where everything is visible to them and the data encryption is a moot point, beneficial only if my disk is stolen.

       

      Here is what  I see with a security inspector report (I omitted the serial number).

       

      Thank You,

       

      H

       

       

       

      ===========================================================================

       

      Target - \\.\PHYSICALDRIVE0

                     15566  Cylinders

                       255 Heads           

                        63  Sectors Per Track

                       512  BytesPerSector  

                        12  MediaType       

       

      ===========================================================================

                                   Master Boot Record

      ===========================================================================

      | B | FS TYPE |       START    | END     |            |            |

      | F |  (hex)  | C     H     S| C     H     S| RELATIVE  |    TOTAL |

      ===========================================================================

      | * |   07    | 0    32    33| 44   190    18| 2048|      716800|

      |   | 07    |  44 190    19|1023   254 63|      718848|   249348096|

      |   | 00    |   0 0     0|   0 0     0|           0|           0|

      |   | 00    |   0 0     0|   0 0     0|           0|           0|

      ===========================================================================

      Disk Signature 0x0203fa30

       

      Partition #1 NTFS backup boot sector at LBN 718847.

      Partition #2 NTFS backup boot sector at LBN 250066943.

       

      LBN 0   [C 0, H 0, S 1]

       

      0x0000   fa eb 23 53 61 66 65 42-6f 6f 74 20 00 07 01 00   δ#SafeBoot ....

      0x0010   00 04 00 05 40 53 02 01-00 00 00 00 8a 35 0b 00   ....@S......è5..

      0x0020   00 00 00 00 00 00 9c 0e-68 00 7c 60 1e 06 0e 1f   ......£.h.|` ..¬

      0x0030   0e 07 fc bb ae 7d b9 04-00 8d 5f 10 80 3f 80 e0   ..ⁿ╗«}╣..ì_Ç?Çα

      0x0040   f8 75 7a 80 7f 04 12 74-27 f6 06 0f 7c 01 74 6d   °uzÇ.t'÷..|.tm

      0x0050   80 2e 11 7c 01 72 19 53-ba 80 00 b9 01 00 b8 01   Ç.|.rS║Ç.╣..╕.

      0x0060   03 bb 00 7c cd 13 5b 72-07 80 3e 11 7c 00 75 4d   .╗.|═[r.Ç>|.uM

      0x0070   be 81 7c bf 00 7e 57 b9-2e 01 f3 a4 66 8b 47 08   ╛ü|┐.~W╣..≤ñfïG.

      0x0080   c3 be 28 7f 66 89 44 08-66 c7 44 0c 00 00 00 00   ├╛(fëD.f╟D.....

      0x0090   c7 44 06 00 00 c7 44 04-00 7c b4 42 b2 80 cd 13   ╟D...╟D..|┤B▓Ç═

      0x00a0   07 1f 61 cf be 84 7d ac-0a c0 74 fe 79 06 4e c6   .¬a╧╛ä}¼.└t■y.N╞

      0x00b0   04 20 f6 d8 b4 0e bb 07-00 cd 10 eb ea fa 33 c0   . ÷╪┤.╗..═δΩ3└

      0x00c0   8e d0 bc 00 7c fb 66 a1-14 7c 66 8b 16 18 7c bd   Ä╨╝.|√fí|fï|╜

      0x00d0   e0 07 be a9 7d 66 89 44-08 66 89 54 0c 89 6c 06   α.╛⌐}fëD.fëT.ël.

      0x00e0   b4 42 b2 80 8e c5 cd 13-73 3b b4 08 b2 80 cd 13   ┤B▓ÇÄ┼═s;┤.▓Ç═

      0x00f0   66 33 db 8a de 43 66 83-e1 3f 66 a1 b1 7d 66 8b   f3█è▐Cfâß?fí▒}fï

      0x0100   16 b5 7d 66 f7 f1 8b ca-33 d2 66 f7 f3 41 c0 cc   ╡}f≈±ï╩3╥f≈≤A└╠

      0x0110   02 86 c4 0b c8 8a f2 b8-01 02 b2 80 33 db cd 13   .å─.╚è≥╕..▓Ç3█═

      0x0120   be 9a 7d 72 82 66 26 81-3e e0 01 53 42 66 73 0f ╛Ü}réf&ü>α.SBfs.

      0x0130   85 71 ff a1 24 7c 26 3b-06 e5 01 75 f2 ff 06 24   àq í$|&;.σ.u≥ .$

      0x0140   7c 66 33 c0 33 db 66 d1-c8 66 26 03 07 8d 5f 04   |f3└3█f╤╚f&..ì_.

      0x0150   80 ff 02 75 f1 66 0b c0-75 d5 26 a0 e9 01 b4 0e   Ç .u±f.└u╒&áΘ.┤.

      0x0160   bb 07 00 cd 10 83 c5 1e-66 26 a1 f4 01 66 26 8b   ╗..═â┼ f&í⌠.f&ï

      0x0170   16 f8 01 66 8b c8 66 0b-ca 0f 85 55 ff 68 00 00   °.fï╚f.╩.àU h..

      0x0180   68 00 7e cb 0d 45 45 50-bd 68 61 8d 62 65 65 92   h.~╦.EEP╜haìbeeÆ

      0x0190   63 6f 72 72 75 70 74 65-9c 00 0d 45 45 50 bd 64   corrupte£..EEP╜d

      0x01a0   69 73 95 65 72 72 6f 8e-00 10 00 01 00 00 00 00   isòerroÄ.......

      0x01b0   00 00 00 00 00 00 00 00-30 fa 03 02 00 00 80 20   ........0....Ç

      0x01c0   21 00 07 be 12 2c 00 08-00 00 00 f0 0a 00 00 be   !..╛,.....≡...╛

      0x01d0   13 2c 07 fe ff ff 00 f8-0a 00 00 c0 dc 0e 00 00   ,.■  .°...└▄...

      0x01e0   00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................

      0x01f0   00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 aa   ..............U¬

       

      ---------------------------------------------------------------------------

      Primary Partition 1

      NTFS BIOS Parameter Block Information

       

        BytesPerSector      : 51

        Sectors Per Cluster :           8

        ReservedSectors     : 0

        Fats                : 0

        RootEntries         :           0

        Small Sectors       :           0 ( 0 MB )

        Media Type          :         248 ( 0xf8 )

        SectorsPerFat       :           0

        SectorsPerTrack     : 63

        Heads               :         255

        Hidden Sectors      : 2048

        Large Sectors       :           0 ( 0 MB )

       

       

        ClustersPerFRS      : 246

        Clust/IndxAllocBuf  : 1

        NumberSectors       :               716799 ( 350 MB )

        MftStartLcn         :                29866

        Mft2StartLcn        :                    2

        Checksum            :                    0 (0x0)

       

      --------------------------------------------------------------------------

       

      LBN 2048   [C 0, H 32, S 33

       

      0x0000   eb 52 90 4e 54 46 53 20-20 20 20 00 02 08 00 00   δRÉNTFS    ....

      0x0010   00 00 00 00 00 f8 00 00-3f 00 ff 00 00 08 00 00   .....°..?. .....

      0x0020   00 00 00 00 80 00 80 00-ff ef 0a 00 00 00 00 00   ....Ç.Ç. ∩......

      0x0030   aa 74 00 00 00 00 00 00-02 00 00 00 00 00 00 00   ¬t..............

      0x0040   f6 00 00 00 01 00 00 00-0c 28 ee be 59 ee be a0   ÷........(ε╛Yε╛á

      0x0050   00 00 00 00 fa 33 c0 8e-d0 bc 00 7c fb 68 c0 07   ....3└Ä╨╝.|√h└.

      0x0060   1f 1e 68 66 00 cb 88 16-0e 00 66 81 3e 03 00 4e   ¬ hf.╦ê..fü>..N

      0x0070   54 46 53 75 15 b4 41 bb-aa 55 cd 13 72 0c 81 fb   TFSu┤A╗¬U═r.ü√

      0x0080   55 aa 75 06 f7 c1 01 00-75 03 e9 dd 00 1e 83 ec   U¬u.≈┴..u.Θ▌. â∞

      0x0090   18 68 1a 00 b4 48 8a 16-0e 00 8b f4 16 1f cd 13   h.┤Hè..ï⌠¬═

      0x00a0   9f 83 c4 18 9e 58 1f 72-e1 3b 06 0b 00 75 db a3   ƒâ─₧X¬rß;...u█ú

      0x00b0   0f 00 c1 2e 0f 00 04 1e-5a 33 db b9 00 20 2b c8   ..┴.... Z3█╣. +╚

      0x00c0   66 ff 06 11 00 03 16 0f-00 8e c2 ff 06 16 00 e8   f .....Ä┬ ..Φ

      0x00d0   4b 00 2b c8 77 ef b8 00-bb cd 1a 66 23 c0 75 2d   K.+╚w∩╕.╗═f#└u

      0x00e0   66 81 fb 54 43 50 41 75-24 81 f9 02 01 72 1e 16   fü√TCPAu$ü∙..r

      0x00f0   68 07 bb 16 68 52 11 16-68 09 00 66 53 66 53 66   h.╗hRh..fSfSf

      0x0100   55 16 16 16 68 b8 01 66-61 0e 07 cd 1a 33 c0 bf   Uh╕.fa..═3└┐

      0x0110   0a 13 b9 f6 0c fc f3 aa-e9 fe 01 90 90 66 60 1e   .╣÷.ⁿ≤¬Θ■.ÉÉf`

      0x0120   06 66 a1 11 00 66 03 06-1c 00 1e 66 68 00 00 00   .fí.f... fh...

      0x0130   00 66 50 06 53 68 01 00-68 10 00 b4 42 8a 16 0e   .fP.Sh..h.┤Bè.

      0x0140   00 16 1f 8b f4 cd 13 66-59 5b 5a 66 59 66 59 1f   .¬ï⌠═fY[ZfYfY¬

      0x0150   0f 82 16 00 66 ff 06 11-00 03 16 0f 00 8e c2 ff   .é.f .....Ä┬

      0x0160   0e 16 00 75 bc 07 1f 66-61 c3 a1 f6 01 e8 09 00   ..u╝.¬fa├í÷.Φ..

      0x0170   a1 fa 01 e8 03 00 f4 eb-fd 8b f0 ac 3c 00 74 09   í.Φ..⌠δ²ï≡¼<.t.

      0x0180   b4 0e bb 07 00 cd 10 eb-f2 c3 0d 0a 41 20 64 69   ┤.╗..═δ≥├..A d

      0x0190   73 6b 20 72 65 61 64 20-65 72 72 6f 72 20 6f 63   sk read error oc

      0x01a0   63 75 72 72 65 64 00 0d-0a 42 4f 4f 54 4d 47 52   curred...BOOMGR

      0x01b0   20 69 73 20 63 6f 6d 70-72 65 73 73 65 64 00 0d    is compressed.

      0x01c0   0a 50 72 65 73 73 20 43-74 72 6c 2b 41 6c 74 2b   .Press Ctrl+Alt+

      0x01d0   44 65 6c 20 74 6f 20 72-65 73 74 61 72 74 0d 0a   Del to restart..

      0x01e0   00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................

      0x01f0   00 00 00 00 00 00 8a 01-a7 01 bf 01 00 00 55 aa   ......è.º.┐...U¬

       

      --------------------------------------------------------------------------

      Primary Partition 2

      NTFS BIOS Parameter Block Information

       

        BytesPerSector      : 51

        Sectors Per Cluster :           8

        ReservedSectors     : 0

        Fats                :           0

        RootEntries         :           0

        Small Sectors       :           0 ( 0 MB )

        Media Type          :         248 ( 0xf8 )

        SectorsPerFat       :           0

        SectorsPerTrack     : 63

        Heads               :         255

        Hidden Sectors      : 718848

        Large Sectors       :           0 ( 0 MB )

       

        ClustersPerFRS      : 24

        Clust/IndxAllocBuf  : 1

        NumberSectors       :            249348095 ( 121752 MB )

        MftStartLcn         :               786432

        Mft2StartLcn        : 2

        Checksum            :                    0 (0x0)

       

      --------------------------------------------------------------------------

      LBN 718848   [C 44, H 190, S 19]

       

      0x0000   eb 52 90 4e 54 46 53 20-20 20 20 00 02 08 00 00   δRÉNTFS    .....

      0x0010   00 00 00 00 00 f8 00 00-3f 00 ff 00 00 f8 0a 00   .....°..?. ..°..

      0x0020   00 00 00 00 80 00 80 00-ff bf dc 0e 00 00 00 00   ....Ç.Ç. ┐▄.....

      0x0030   00 00 0c 00 00 00 00 00-02 00 00 00 00 00 00 00   ................

      0x0040   f6 00 00 00 01 00 00 00-a7 52 f0 6a 6c f0 6a ce   ÷.......ºR≡jl≡j╬

      0x0050   00 00 00 00 fa 33 c0 8e-d0 bc 00 7c fb 68 c0 07   ....3└Ä╨╝.|√h└.

      0x0060   1f 1e 68 66 00 cb 88 16-0e 00 66 81 3e 03 00 4e   ¬ hf.╦ê..fü>..N

      0x0070   54 46 53 75 15 b4 41 bb-aa 55 cd 13 72 0c 81 fb   TFSu┤A╗¬U═r.ü√

      0x0080   55 aa 75 06 f7 c1 01 00-75 03 e9 dd 00 1e 83 ec   U¬u.≈┴..u.Θ▌. â∞

      0x0090   18 68 1a 00 b4 48 8a 16-0e 00 8b f4 16 1f cd 13   h.┤Hè..ï⌠¬═

      0x00a0   9f 83 c4 18 9e 58 1f 72-e1 3b 06 0b 00 75 db a3   ƒâ─₧X¬rß;...u█ú

      0x00b0   0f 00 c1 2e 0f 00 04 1e-5a 33 db b9 00 20 2b c8   ..┴.... Z3█╣. +╚

      0x00c0   66 ff 06 11 00 03 16 0f-00 8e c2 ff 06 16 00 e8   f .....Ä┬ ..Φ

      0x00d0   4b 00 2b c8 77 ef b8 00-bb cd 1a 66 23 c0 75 2d   K.+╚w∩╕.╗═f#└u-

      0x00e0   66 81 fb 54 43 50 41 75-24 81 f9 02 01 72 1e 16   fü√TCPAu$ü∙..r

      0x00f0   68 07 bb 16 68 52 11 16-68 09 00 66 53 66 53 66   h.╗hRh..fSfSf

      0x0100   55 16 16 16 68 b8 01 66-61 0e 07 cd 1a 33 c0 bf   Uh╕.fa..═3└┐

      0x0110   0a 13 b9 f6 0c fc f3 aa-e9 fe 01 90 90 66 60 1e   .╣÷.ⁿ≤¬Θ■.ÉÉf`

      0x0120   06 66 a1 11 00 66 03 06-1c 00 1e 66 68 00 00 00   .fí.f... fh...

      0x0130   00 66 50 06 53 68 01 00-68 10 00 b4 42 8a 16 0e   .fP.Sh..h.┤Bè.

      0x0140   00 16 1f 8b f4 cd 13 66-59 5b 5a 66 59 66 59 1f   .¬ï⌠═fY[ZfYfY¬

      0x0150   0f 82 16 00 66 ff 06 11-00 03 16 0f 00 8e c2 ff   .é.f .....Ä┬

      0x0160   0e 16 00 75 bc 07 1f 66-61 c3 a1 f6 01 e8 09 00   ..u╝.¬fa├í÷.Φ..

      0x0170   a1 fa 01 e8 03 00 f4 eb-fd 8b f0 ac 3c 00 74 09   í.Φ..⌠δ²ï≡¼<.t.

      0x0180   b4 0e bb 07 00 cd 10 eb-f2 c3 0d 0a 41 20 64 69   ┤.╗..═δ≥├..A di

      0x0190   73 6b 20 72 65 61 64 20-65 72 72 6f 72 20 6f 63   sk read error oc

      0x01a0   63 75 72 72 65 64 00 0d-0a 42 4f 4f 54 4d 47 52   curred...BOOTMGR

      0x01b0   20 69 73 20 63 6f 6d 70-72 65 73 73 65 64 00 0d    is compressed..

      0x01c0   0a 50 72 65 73 73 20 43-74 72 6c 2b 41 6c 74 2b   .Press Ctrl+Alt+

      0x01d0   44 65 6c 20 74 6f 20 72-65 73 74 61 72 74 0d 0a   Del to restart..

      0x01e0   00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................

      0x01f0   00 00 00 00 00 00 8a 01-a7 01 bf 01 00 00 55 aa   ......è.º.┐...U¬

       

      Message was edited by: Simon Hunt - Fixed formatting catastrophe.

        • 1. Re: MBR and Safeboot (EPO)

          short answer to a long question, is there is ONLY ever one MBR - and it's only ever in sector 0 of the boot hard disk.

           

          The other boot record you're seeing is the OS boot record in the boot partition (first sector of the active partition) - if you're seeing this on an encrypted disk, then your admin chose not to encrypt all the partitions.

           

          This is all normal, and has been like it is since the first PC+hard disk combo.

           

          I'm not sure what your next question is - you seem to be asking how to check the validity of a primary partition with unencrypted data on? I am not sure where that comes from, because EEPC, SafeBoot etc encrypts all the partitions the admin decides - there's no "secret" partition etc. If you have an unencrypted partition, it's because your admin chose not to encrypt it.

           

          As for getting a root kit when your machine is running, it won't ever boot again. The root kit would have to usurp the encrypted MBR and relocate it, but the encrypted MBR does not support relocation, and would think the disk is now not protected, thus it wouldnt boot.

           

          Yes, an evil maid attack is possible if the entire boot code was replaced, but there's no way to protect against that - I could replace your entire PC and persuade you to enter your password (and capture it) - same attack and obviously can't be defended against.

           

          What can be defended, is access to your PC if it's lost or stolen. If you let it out of your sight, the evil maid theory maintains it's not really your machine ever again.

          • 2. Re: MBR and Safeboot (EPO)
            jhall2

            The issues you speak of are a limitation of MBR booting. MBR was written in 1982 and was not designed with the IT Security Administrators in mind.

             

            Using UEFI, the UEFI Applicaions are signed using a Microsoft Third Party Signing Certificate and if secure boot is enabled, no unauthorized code can run in the UEFI environment. MDE (McAfee Drive Encryption) 7.1 has the ability to utilize UEFI and these issues that you are concerned about would indeed be solved by utilizing UEFI rather than MBR.

             

            As for what the unencrypted partition is, likely this is a hidden Windows partition such as WinRE (Recover Environment). If you are concerned about any hidden non-lettered and unencrypted partitions, these can be deleted using standard partition tools if you see fit.

            • 3. Re: MBR and Safeboot (EPO)

              the first partition is marked as bootable though ;-) I expect this machine was set up with bitlocker in mind (os on a separate partition). It should probably be encrypted though to stop data leakage.

               

              I agree with you re UEFI - safer in terms of the theoretical attack against the boot code. Evil Maid still wins though regardless.

              • 4. Re: MBR and Safeboot (EPO)

                I'm guessing you're "nolongerconcerned" ?

                • 5. Re: MBR and Safeboot (EPO)
                  agmkhl

                  Sorry for the delayed response.  Sorry for referring to the boot partitions as MBRs when (normally) there is just one MBR (putting aside extended MBRs)..  Why does the text I provided for one of the two partitions show a message “EEPC MBR has been corrupted” but with garbaged characters in five places (see #6d #8d, #92, #9c, #bd bytes)?

                   

                  Also, the bootstrap code in the MBR - is it different for EEP than for normal Windows?  You implied as much in 2011 when someone[1] asked what would happen if an MBR rootkit cleaner such as Kaspersky TDSSKiller would clean it.  You said it would likely replace an EEP MBR record with a "normal Windows" one.  You looked forward to when EETech or Wintech would have its own MBR restore, which it now does.[2]

                   

                  Right now the 3rd party tools MBR checking tools may not know about your MBR format which de facto must be unencrypted whether the partitions themselves are encrypted or not.  And the de facto unencrypted bootstrap code in the active partition (which would normally do the signon for the key if the partitions are even encrypted) may be hacked in an environment where the partitions were not encrypted for whatever reason (and which would lead to an unloadable operating system if the bootstrap code were hijacked and the partitions *were* encrypted).

                   

                  So, without talking to those vendors and knowing what they check, it is much easier to have a utility such as might be provided by Wintech whose single purpose (if run from a Windows PE environment) is to tell me that the MBR is a "McAfee EEP MBR" and is clean/good (without regard to whether my partitions are encrypted or not), and whether the defacto unencrypted code in the boot partition passes some integrity checks (when the partitions are not encrypted). 

                   

                  This helps eliminate false positives from vendors/publishers who perhaps only deal with "normal" MBR records which you clearly admit in [1] it is not.  And it makes my job easier.  That is, it is of little value to know my disks are not encrypted.  I want to know if the remnants of what looks like an EEP infrastructure (MBR, boot sector code etc.) has Integrity.  Period.  :-) I want to know why AVAST AWSMBR complains, why mbrcheck complains, why several other MBR-checking tools complain.  Are they all disinterested in detecting malformed EEP MBRs and just hollering out a "false positive"?  Can't tell (not documented) and not my job to ask Avast. 

                   

                  The producers of products that change the MBR as the ROW (Rest Of World) knows it, are doing a disservice by not publishing a technical note on how a EEP MBR or boot sector is different or making such a PE environment tool available themselves whether I own the product or not.  Plain and simple.  Just make my life easier. :-)

                   

                  If this still doesn't make sense, I hope someone can chime in and explain.  We're talking about a general security consultant dealing with a modified MBR to further your product line but to leave me in a shroud of uncertainty when the disks are unencrypted (as you suggest and I agree) and mainstream products call out the MBR as hidden or malformed for undisclosed reasons.

                   

                  Thanks,

                   

                  Harry

                   

                  [1] https://community.mcafee.com/thread/41163?start=0&tstart=0 page 39

                  [2] https://kc.mcafee.com/corporate/index?page=content&id=PD24204

                  • 6. Re: MBR and Safeboot (EPO)

                    1. It's not corrupted. That's how we are storing the string.

                    2. Yes. It's different to a Microsoft Windows MBR - it's not booting a partition, it's doing something else.

                     

                    what you are saying makes sense - but you perhaps forget that there is no "standard mbr" - you don't need to use microsofts mbr to boot windows. You can use any one of a number, in fact for many years Dell and others shipped machines with their own special code in sector 0

                     

                    finally, this condition has been in place for 25 years now. And as all new os's and machines no longer even use MBRs it seems a little pointless to try to correct it now.

                     

                    if you want to verify you have a genuine eepc mbr, just compare it against a known good machine. The code will be the same, or you could just try to view the disk info in wintech etc - that will verify enough of the structure to assure you that the mbr is at the least valid.

                    • 7. Re: MBR and Safeboot (EPO)
                      agmkhl

                      So, you are putting the burden on me.  I already told my client that i could compare it to other machines but how would I know if all machines were corrupted/tainted without asking their history (were they imaged, where did they come from, etc.).  As any good forensic expert would do, i am trying to take the easiest path to eliminate the most possibilities in determining the root cause. 

                       

                      The age of MBR technology (25 yrs) is irrelevant here.  So is whether Dell does this or does not.  If they do, they need to provide the same information for the same reasons. UEFI was introduced only a few years ago and brings it's own set of security concerns but I believe it is a standard and it is documented.  The Microsoft MBR will be the one most often targeted and where most of your business is generated. And now, the bad guys can do what they love to do, hide behind a technology (Safeboot) where they know if tools discover them, the security expert will remain in doubt as to whether it is a false positive, a deficiency in the tool, or a rootkit.  In other words, your answer is IMO, disingenuous.  I say that kindly and respectfully knowing you may be philosophically bound to answer in this manner.  But if so, this blog and this post is calling out Safeboot for being (IMO) unprofessional.  Period.  End of story.

                       

                      In summary, you are also, IMO, in effect saying (apologies if I am being presumptuous)

                      1. 1. we do not disclose the format but you can spend time to figure out what "normal is"
                      2. 2. there is no such tool
                      3. 3. Harry, I'd like to tell you but "the bad guys don't need to know this information, so I cannot" -- (IMO, that would be sad because they already do know -- that's how they remain a step ahead of companies like McAfee, Kaspersky, and keep those companies in business. The binary boot code can be turned into source code by a $1,000 disassembler product or by a 3rd world hacker with 24x7 time on their hands to see what it does and to *PERHAPS* see if those garbaged bytes in the message have relevance to anything.  Knowing the disassembled code does not help.  But one must strike a balance in the area of "needs to know"..  You tell ME what is normal so I can walk up to any machine and make the check you should be enabling me to make and do not and putting my client at risk because you do you have chosen to be proprietary at the cost of someone never knowing what is truly normal when the disk is unencrypted but has your remnants in it.  How sad. I acknowledge I may be over thinking or overstating but only Safeboot can definitively allay those and my clients concerns.

                       

                      Kindly,

                       

                      Harry

                      • 8. Re: MBR and Safeboot (EPO)

                        I guess I still don't really understand what your questions or concerns are. Perhaps you can start a new thread with one specific question that you're worried about? I get the impression you're worried about evil maid compromise of your machines, but that's not what disk encryption is designed to protect against. To be honest, the evil maid attack is indefensible by technology.

                         

                        1. The MBR is 512 bytes total, only 446 bytes of assembler code - it's structure is clearly documented in many places, for example http://en.wikipedia.org/wiki/Master_boot_record

                         

                        You could always install EEPC yourself and use that as your template of known good....

                         

                        2. I already told you, WinTech will read the MBR and verify the basic structure, but you are right - we don't supply any tool to binary compare the MBR with a gold example.  It's simply never been asked for AFAIK. Even our global TLA customers never asked for it. Even if we verify the MBR though, it does not mean the entire system is verified - evil maid could target the boot OS for example.

                         

                        Yes, I agree that a white box validation of the boot environment would be useful to verify that a machine has not been compromised, but that's a whole heck of a lot of work, something (again AFAIK) no vendor in this space provides, and again something no one has asked for since we launched in 1995.

                         

                        3. When you only have 446 bytes of storage, you can't waste space, but you seem to be criticizing our code for being obtuse (to you)? Not sure what kind of response you're looking for.