Analyzing Quarantine Files

Published: 2015-07-03
Last Updated: 2015-07-03 09:38:03 UTC
by Didier Stevens (Version: 1)
6 comment(s)

Quarantine files are produced by anti-virus programs. When an anti-virus detects a file (a positive), it will take action. A possible action is to put the detected file in quarantine: remove it from its actual location and store it in quarantine: a location where it can do no harm.

Quarantine files are a means to handle false positives: if a detection turns out to be a false positive, the file can be recovered from quarantine.

But for an analyst, quarantine files are also interesting in case of true positives: it allows us to recover and analyze the file. The anti-virus will have a function to restore the quarantined file, but this is not always ideal. For example, on a production server, you don't want to restore malware. Each anti-virus vendor has his own method to contain quarantined files. Many of them use a proprietary file format.

I want to take the opportunity of this diary entry to highlight a tool to handle McAfee quarantine files. On Windows, McAfee quarantine file can be found in the quarantine folder. They have extension .bup. punbup is a tool written by @herrcore to handle .bup files. It allows you to view the anti-virus report produced for this detection (-d), it can give you the hashes of the quarantined files (-c) and it can also extract them to disk. I have also contributed to this free open-source tool by adding options to dump the quarantined files to screen (-x hexdump and -a ascii dump).

You will notice that this Python program requires a module: olefile. That's right, McAfee uses the Compound File Binary Format (aka ole files) to store quarantined files. So you can also use my oledump tool to work with .bup files, an upcoming diary entry will focus on this.

If you know tools to process quarantine files from other anti-virus vendors, please post a comment.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: bup quarantine
6 comment(s)

Comments

Sophos doesn't encrypt its quarantine.

The file is moved to the default location <ProgramData>\Sophos\Sophos Anti-Virus\INFECTED and a suffix is added .nnn where n is a number.
This script has been working well (linux one) for our use and it require nothing.
http://blog.opensecurityresearch.com/2012/07/unbup-mcafee-bup-extractor-for-linux.html
For Forefront Endpoint Protection and System Center Endpoint Protection, use this KB article to get hold of quarantined items: https://support.microsoft.com/en-us/kb/2834037

This should normally work with System Center Essentials (Windows 7) and Windows Defender (Windows 8+) as well.

Would be great for anybody doing IR work, if this could be built out to a small knowledge base.
Eric, can you say exactly which Linux script on that page requires no dependencies? Because as far as I can see, they all require 7-zip.

The reason that they all require 7-zip, is that 7-zip can extract streams from OLE files. 7-zip supports MSI files, and MSI files are OLE files.
You are right, it requires 7zip and you are right it is because of ole format.
I just wanted to point out without missleading people that alternative
existed and obviously without discrediting your work.
No problem Eric, the goal of this diary entry is to collect information about tools that handle quarantine files, thanks for your contribution.

Diary Archives