How to remediate a Master Boot Record (MBR) threat
Article ID: 152119
Updated On:
Products
Issue/Introduction
Symantec Endpoint Protection (SEP) detects a boot threat but is unable to automatically, immediately clean an infected MBR. What should be done?
Risk Logs show Boot.Tidserv, Boot.Cidox, Boot.Malmo or similar. The action taken may be "left alone" as the requested action (delete) was invalid.
An example Risk Report exported from the Symantec Endpoint Protection Management (SEPM) console, with columns removed for clarity:
Computer Name |
Source |
Risk Name |
Occurrences |
File Path |
Actual Action |
COMPUTER1 |
Scheduled scan |
Boot.Malmo |
1 |
Master Boot Record for Physical drive number 0 |
Left alone |
COMPUTER1 |
Manual Scan |
Boot.Malmo |
1 |
Master Boot Record for Physical drive number 0 |
Left alone |
Resolution
SEP is able to automatically repair MBRs damaged by some threats when the computer reboots. Other damaged/infected MBRs will need to have manual action taken upon them.
Symantec Power Eraser (built into the SymDiag tool) might detect a damaged MBR, but cannot repair it. To repair infected MBR's, one may have to run third party tool like, Norton Bootable Recovery Tool (NBRT). Examine the logs, afterwards, to confirm what action was taken (ensure that the repair was successful).
Additional reference to fix MBR using Bootrec:
Use Bootrec.exe in the Windows RE to troubleshoot startup issues:
https://support.microsoft.com/en-us/topic/use-bootrec-exe-in-the-windows-re-to-troubleshoot-startup-issues-902ebb04-daa3-4f90-579f-0fbf51f7dd5d
Feedback
