Windows 10: How to check Black lotus bootloader is infected in ESP partition files and other files...

Technical type: Intermediate Summary:BlackLotus writes malicious bootloader files to the EFI system partition ESP and subsequently locks them to protect them from deletion or tampering.If recently modified and locked files are identified in the ESP on a device, especially those matching known BlackLotus bootloader filenames, these should be considered highly suspect and the devices should be removed from the network to be examined for further evidence of BlackLotus or follow-on activityIn this article, I will explain how to check whether the files are infected or not 1. Open the Command Prom

:)

 

SSD Trim work at ESP(FAT32), MSR(free space) and unallocated partition or not?

Hello OveDR,

Good to see you in Microsoft Community.

SSD Trim works differently depending on the specific scenario:

1. ESP (EFI System Partition) - TRIM does not apply to the ESP because it is a FAT32 partition and TRIM is specific to file systems like NTFS that support it. However, the ESP typically contains boot files and is not heavily written to, so the impact on SSD performance is minimal.
   
2. MSR (Microsoft Reserved Partition) - TRIM does not apply to the MSR because it is an unformatted, reserved partition for Windows. It does not contain a file system or user data.
   
3. Unallocated Partition/Free Space - TRIM does not directly apply to unallocated partitions or free space because they do not contain file systems. TRIM is designed to inform the SSD about unused data blocks within a file system so that the SSD can optimize its performance and lifespan. However, when you create a new partition in the unallocated space, the SSD will be aware of the new file system and its TRIM operations will apply to that partition.
   

Regarding your specific questions:

1. When you reduce/move a partition using a Partition Manager, the unallocated partition or free space created should not contain any data that requires TRIM. TRIM is relevant to the file system within a partition, not unallocated space.
   
2. Updating Windows or deleting files from the ESP will not trigger TRIM operations. The ESP is typically small and contains essential boot files, which are not frequently modified. Therefore, garbage collection in the SSD's internal firmware will handle any necessary cleanup for the ESP.
   

As for your SSD usage:

Using 2-5GB of writes per day on your SSD can be considered normal (even less than most), especially if you have regular system activity, updates, and some application usage. Windows and system processes, as well as temporary files, logs, and other background activities, contribute to SSD writes. However, if you are concerned about excessive writes, you can check for any specific processes or applications that may be causing high disk activity using performance monitoring tools or resource monitors provided by the operating system.

If anything is unclear, please do not hesitate to let me know.

Best Regards,

| Microsoft Community Support Specialist

 

Corrupted file RAR

If the archive has been created using WinRAR, why don't you try WinRAR itself? It has a built-in repair feature for repairing corrupted archive (ZIP as well as RAR). Follow the steps given below:

• Open WinRAR application in your system.
• Now click on File tab > Open or simply press Ctrl+O.
• A small window "Find Archive" will pop up. Locate the corrupt RAR archive from your system directory and select it.
• Now click Open button.
• Click Tools tab > Repair archive or simply press Alt+R.
• Again a small window "Repairing File name.rar" will pop up.
• Now click Browse to select a location to save the repaired archive.
• Check the box "Treat the corrupt archive as RAR" and click OK.
• WinRAR will start repairing of corrupt RAR archive. Once it gets completed click Close.

I hope the above steps will help you repair the corrupted RAR archive.

Thanks.

 

Microsoft Safety Scanner > Files Infected count

There's a bit of a UX problem with the scanner. As it is running it may encounter files that are suspected of being infected but indicate a count as: "Files Infected: XX"

This suggests the files are infected and apparently no list of these potentially infected files are provided.

1. Change the label to "Possible Infected Files"
   
2. Write to the msert log the list of possibly infected files for further review/action.
   

I say this as I let the tool run for over 3 hours, racking up over 20 "Files Infected". My computer was disconnected from the Internet during the scan. So I was surprised that the files in question were somehow "cleared" despite a lack of Internet connection.

From the log:

Results Summary:

----------------

No infection found.

Failed to submit MAPS report: 0x80072EE7

Failed to submit clean hearbeat MAPS report: 0x80072EE7

Microsoft Safety Scanner Finished On Sun Apr 30 13:20:56 2023

If the suspected files couldn't be submitted, then how were they cleared? Which files were suspected?

I appreciate the tool just cannot trust the results.