ELAM and UEFI

[Nazareno]

I would like to suggest that the product has the capability of early launch antimalware support. I really don't know if this protection system is already built in, that's why I suggest it. I enclose a fragment of a kaspersky article where he explains how his solutions work. Thank you very much in advance. Best regards.

 

ELAM (Early launch antimalware support) and UEFI (Unified Extensible Firmware Interface) support

One of the key security features of Windows 8 is its ability to control core system components during the boot sequence. When the system is loading, Windows compares every system file and app to its signature database and if it finds an app that is different from the state it supposed to be in, Windows will stop the boot sequence. Kaspersky Now is tightly integrated with this feature and our security software is loaded in the beginning of the sequence to ensure that the threat-detection process works and that any problem can be fixed.

 

[exile360]

I don't know if Malwarebytes leverages this specific functionality or not, however I do know there is an option to have the self-protection driver load early in the boot process (prior to logon, and as far as I know, as early as any drivers are allowed to load on boot).  Beyond that, during remediation/DoR (Delete on Reboot) which is the technology used by Malwarebytes to remove threats when you are prompted to restart your system following a scan or real-time threat detection (at least when necessary for cleanup of the threat, like for cases where the threat is already installed/active), Malwarebytes does load a cleanup driver and script early in the boot process to eliminate the threat before it is able to load into memory and protect or regenerate itself.  The Anti-Rootkit component has a similar capability and will prompt you to allow it to run on system restart if it detects that the system's boot files have been infected with a rootkit so that it may launch earlier in the startup process to load its drivers, run a rootkit scan, kill the threats and cleanup any fallout/damage to the operating system and boot files caused by the rootkit.

Edited December 3, 2018 by exile360

[Nazareno]

First, thank you for your answer. But I have a question mbam protects us from Boot Sector Virus? Thank you very much in advance. Best regards.
 

A boot sector virus is a type of virus that infects the boot sector of floppy disks or the Master Boot Record (MBR) of hard disks (some infect the boot sector of the hard disk instead of the MBR). The infected code runs when the system is booted from an infected disk, but once loaded it will infect other floppy disks when accessed in the infected computer. While boot sector viruses infect at a BIOS level, they use DOS commands to spread to other floppy disks. For this reason, they started to fade from the scene after the appearance of Windows 95 (which made little use of DOS instructions). Today, there are programs known as ‘bootkits’ that write their code to the MBR as a means of loading early in the boot process and then concealing the actions of malware running under Windows. However, they are not designed to infect removable media.

The only absolute criteria for a boot sector is that it must contain 0x55 and 0xAA as its last two bytes. If this signature is not present or is corrupted, the computer may display an error message and refuse to boot. Problems with the sector may be due to physical drive corruption or the presence of a boot sector virus.

 

[exile360]

It does, however not in any invasive way which might lead to system instability (like intercepting calls to the boot manager or BCDEDIT etc.).  Since rootkits install through Trojans and the like, Malwarebytes targets those threats, and of course the scan engine has rootkit detection and removal capabilities which are fully capable of detecting and removing boot sector infections and other types of low level (as well as high level) rootkits.  You can find a lot of valuable info and research on rootkits, as well as technical analysis of several rootkits and rootkit families on Malwarebytes Labs here.

[Nazareno]

Thank you very much. Topic solved. Greetings.

[exile360]

You're very welcome

By the way, I neglected to mention that the anti-rootkit engine in Malwarebytes also has generic rootkit detection heuristics capabilities which allow it to spot rootkit activity, making it capable of detecting even unknown/new/never before seen rootkits (this is in fact one of the ways that they have discovered several new rootkits through capturing samples that way).  It's a very powerful tool, and the Malwarebytes Anti-Rootkit Beta is a standalone tool based on that same anti-rootkit engine and technology which is used for testing out new features and capabilities before integrating them into the main Malwarebytes product/engine.