Windows Defender removes bootloader from DiskCryptor

If your system disk is encrypted using DiskCryptor, the system may stop loading after updating Windows Defender databases to version 118.1.0.0 from 10.24.2017.

Defender defines the bootloader as Win32 / Tibbar.A and overwrites the MBR. DiskCryptor itself is defined as Trojan: Win32 / Rundas.B.

You can see the message in the Windows Defender log: It is clear that this was done to protect against Ransomware, which uses DiskCryptor as an encryption tool, for example, Mamba Ransomware , but in this case ordinary users who use it as a protection tool suffer.

Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Ransom:DOS/Tibbar.A&threatid=2147724200&enterprise=0
Name: Ransom:DOS/Tibbar.A
ID: 2147724200
Severity: Severe
Category: Trojan
Path: boot:_\Device\Harddisk0\DR0\(MBR)\(MBR)
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: Unknown
Signature Version: AV: 1.255.60.0, AS: 1.255.60.0, NIS: 118.1.0.0



At the moment, I see no alternatives to the DiskCryptor bootloader, since it allows you to set various actions if the boot password is not entered for a certain time or is entered incorrectly. It also allows you to hide the password request text at boot time. And the process of creating a decoy system is much simpler than in the same VeraCrypt. If you know an alternative to DiskCryptor with the same functionality, please share in the comments.

Update: Most likely the addition of DiskCryptor to the anti-virus databases is caused by the appearance of the Bad Rabbit Trojan , an article on Habr .