How to Protect Boot Sector from Viruses in Windows NT

ID: Q122221

The information in this article applies to:

Microsoft Windows NT operating system version 3.1
Microsoft Windows NT Advanced Server version 3.1
Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0
Microsoft Windows NT Server versions 3.5, 3.51, 4.0

SUMMARY

When you start your computer with a floppy disk that is infected with a virus, Windows NT is not capable of detecting it, which is true with many operating systems. Some viruses, such as the FORMS virus, may infect the boot sector of your hard disk drive. This article discusses some methods of protecting the boot sector of the hard disk drive from viruses.

MORE INFORMATION

There is a misconception that if the partition of the hard disk drive is NTFS, the information in the partition is secure. NTFS, like other file systems such as File Allocation Table (FAT) and High Performance File System (HPFS), is not recognized until Windows NT starts the service for the file system. The boot sector is separate from the file system in that it is recognized by the system BIOS upon starting the computer.

In order to provide C2 level government security, the environment surrounding the system must meet the same level of security that Windows NT provides. The C2 standard requires physical security, such as locking the computer.

In order to protect your system from any type of virus infection in Windows NT and possibly recover the boot sector of the hard drive, you can do the following:

Remove any floppy disk in drive A after shutting down Windows NT.

Configure the system BIOS to disable floppy disk booting (no floppy seek) or change the order of the boot process to hard drive first.

Configure the system BIOS to enable system password protection.

To possibly fix the boot sector, boot with a MS-DOS system disk and run the following command:

fdisk /mbr

WARNING: If your hard drive was prepared by a third-party disk manager program, such as Ontrack Disk Manager, then the FDISK /MBR command removes the overlay program of that third-party disk manager, such as the Overlay Manager, and the drive no longer boots. Therefore, you must verify that the drive was not partitioned with a third-party disk manager program before using this command.

Run the Repair utility to verify and recover Windows NT boot files.

FDISK/MBR works only on hard disk drives that are within the limitations of DOS. If you are accessing devices that are beyond the 1024 cylinder limit, you will not be able to perform the FDISK/MBR and error code 1762 appears.

If a virus has infected the MBR, you will not be able to run the Emergency Repair Disk until the virus is cleaned. Most virus programs have the same limitation as DOS so you will not be able to run a scan against the hard disk drive; however, DOS 6.22 MSAV.EXE will clean the Master boot record and RAM of the machine.

Additional query words: 3.10 antivirus


Keywords          : kbusage ntsecurity nthowto 
Version           : 3.1 3.5 3.51 4.0
Platform          : winnt 
Issue type        :

Last Reviewed: February 11, 1999