Will converting a MBR disk to GPT, formatting and the converting back to MBR remove a infected boot record. I am looking into writing a little program that will take a connected USB with a MBR infection and convert it to GPT and then format it before converting it back to MBR. Would this be sufficient to remove the threat of a MBR infection?
Asked
Active
Viewed 895 times
3 Answers
4
No, not unless the infection exclusively resides on the MBR. It can easily exist on the bootloader or any other stage in the boot process. Also note that GPT has two backup MBRs on it, though they are not executed by default. If you believe you have an MBR infection (which is quite unlikely), you should reinstall your OS, as an infection of the MBR requires such high privileges that your entire installation could be compromised.
forest
- 64,616
- 20
- 206
- 257
-
Hi, thanks for the answer. I should have specified that this is for external drives only. Naturally if the infection was discovered on the OS drive then it would be reimaged. Given this could an infection on an external drive be eliminated as I described? – Plisken Nov 27 '17 at 06:01
-
1If the infection is on an external, non-bootable drive, then malware cannot hide itself in the MBR. In fact, you could remove the MBR (as long as the partition table is intact) and your computer would be none the wiser. All it does is load your bootloader to bootstrap your system. It does nothing at runtime and is not even examined on an external system. – forest Nov 27 '17 at 06:01
0
Realistically, MBR viruses can only load if you boot into the disk directly, which usually means enabling USB hard drive booting and manually choosing to boot to the disk. As such, you probably shouldn't worry about MBR viruses unless you intend to boot from the disk.
Converting from MBR to GPT may theoretically preserve the boot code, in which case a format might not be sufficient. Instead, I recommend you just zero out the MBR and start over. Write 512 0x00 bytes to Sector 0/LBA 0, which will essentially tell any formatting utilities that this is an unitialized disk.
Afterwards, create the MBR, create your first partition, and then format the file system for that partition. This will set up all the required data structures without preserving anything that may have been there before. The entire process should take less than a minute and is less likely to leave leftover boot code that might survive the conversion.
phyrfox
- 5,724
- 20
- 24
-
It would be far safer to write 446 bytes to sector 0, since that destroys the flat MBR executable but leaves the harmless (and important) partition table intact. – forest Nov 27 '17 at 09:38
-
@guest I considered that, or even a more surgical strike of just about 7 bytes or so, but ultimately decided against it. There's at least six competing MBR "standards" and writing 446 bytes may make some systems claim the disk is damaged or corrupted, while writing all 512 bytes makes the system assume the disk is not initialized. Also, boot code can be in a file system (the partition is marked as "Bootable" in the MBR), so at minimum you need to reset those flags as well. Better to just nuke it all and start over. – phyrfox Nov 27 '17 at 09:45
-
Yup that's true. Perhaps using something like `sfdisk` to back up the partition table, then putting it back afterwards, since that way there would be no need to make the disk unreadable (since I assume the OP wants the most minimally invasive fix, or he'd have just nuked the whole drive in the first place). – forest Nov 27 '17 at 09:46
0
Well MBR infection used to be common in the old time of floppy disks, and the common fix was just to reinstall the code of the boot record. Almost all Operating Systems have a option to (re-) install a brand new boot record on a physical disk without changing the partition information. Look for GRUB for Linux, booteasy for BSD, bootrec or bootsect for Windows. That is enough to re-install the code in the MBR without changing the partition table.
Serge Ballesta
- 25,636
- 4
- 42
- 84