Threat Level: green Handler on Duty: Didier Stevens

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Analyzing Quarantine Files

Published: 2015-07-03
Last Updated: 2015-07-03 09:38:03 UTC
by Didier Stevens (Version: 1)
6 comment(s)

Quarantine files are produced by anti-virus programs. When an anti-virus detects a file (a positive), it will take action. A possible action is to put the detected file in quarantine: remove it from its actual location and store it in quarantine: a location where it can do no harm.

Quarantine files are a means to handle false positives: if a detection turns out to be a false positive, the file can be recovered from quarantine.

But for an analyst, quarantine files are also interesting in case of true positives: it allows us to recover and analyze the file. The anti-virus will have a function to restore the quarantined file, but this is not always ideal. For example, on a production server, you don't want to restore malware. Each anti-virus vendor has his own method to contain quarantined files. Many of them use a proprietary file format.

I want to take the opportunity of this diary entry to highlight a tool to handle McAfee quarantine files. On Windows, McAfee quarantine file can be found in the quarantine folder. They have extension .bup. punbup is a tool written by @herrcore to handle .bup files. It allows you to view the anti-virus report produced for this detection (-d), it can give you the hashes of the quarantined files (-c) and it can also extract them to disk. I have also contributed to this free open-source tool by adding options to dump the quarantined files to screen (-x hexdump and -a ascii dump).

You will notice that this Python program requires a module: olefile. That's right, McAfee uses the Compound File Binary Format (aka ole files) to store quarantined files. So you can also use my oledump tool to work with .bup files, an upcoming diary entry will focus on this.

If you know tools to process quarantine files from other anti-virus vendors, please post a comment.

Didier Stevens
Microsoft MVP Consumer Security

Keywords: bup quarantine
6 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Another example of Angler exploit kit pushing CryptoWall 3.0
2 days ago by Brad Duncan (2 comments)

Apple "Patch Tuesday"
2 days ago by Johannes (0 comments)

How Malware Campaigns Employ Google Redirects and Analytics
3 days ago by Lenny (3 comments)

The Powershell Diaries 2 - Software Inventory
4 days ago by Rob VandenBrink (5 comments)

The EICAR Test File
5 days ago by DidierStevens (6 comments)

Is Windows XP still around in your Network a year after Support Ended?
6 days ago by Guy (9 comments)

View All Diaries →

Latest Discussions

Detecting lateral movement by NIDS/IPS (netcat or psexec)
created 3 days ago by DrGreen (1 reply)

Recommend InfoSec Books?
created 6 days ago by Anonymous (1 reply)

Security on Computer Names
created 1 week ago by Anonymous (1 reply)

Download the daily logs?
created 1 week ago by (2 replies)

Wireshark upate - 1.12.6 has been released
created 2 weeks ago by Brad Duncan (0 replies)

View All Forums →

Latest News

View All News →