Analyzing Quarantine Files
Quarantine files are produced by anti-virus programs. When an anti-virus detects a file (a positive), it will take action. A possible action is to put the detected file in quarantine: remove it from its actual location and store it in quarantine: a location where it can do no harm.
Quarantine files are a means to handle false positives: if a detection turns out to be a false positive, the file can be recovered from quarantine.
But for an analyst, quarantine files are also interesting in case of true positives: it allows us to recover and analyze the file. The anti-virus will have a function to restore the quarantined file, but this is not always ideal. For example, on a production server, you don't want to restore malware. Each anti-virus vendor has his own method to contain quarantined files. Many of them use a proprietary file format.
I want to take the opportunity of this diary entry to highlight a tool to handle McAfee quarantine files. On Windows, McAfee quarantine file can be found in the quarantine folder. They have extension .bup. punbup is a tool written by @herrcore to handle .bup files. It allows you to view the anti-virus report produced for this detection (-d), it can give you the hashes of the quarantined files (-c) and it can also extract them to disk. I have also contributed to this free open-source tool by adding options to dump the quarantined files to screen (-x hexdump and -a ascii dump).
You will notice that this Python program requires a module: olefile. That's right, McAfee uses the Compound File Binary Format (aka ole files) to store quarantined files. So you can also use my oledump tool to work with .bup files, an upcoming diary entry will focus on this.
If you know tools to process quarantine files from other anti-virus vendors, please post a comment.
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
Comments
The file is moved to the default location <ProgramData>\Sophos\Sophos Anti-Virus\INFECTED and a suffix is added .nnn where n is a number.
Anonymous
Jul 3rd 2015
9 years ago
http://blog.opensecurityresearch.com/2012/07/unbup-mcafee-bup-extractor-for-linux.html
Anonymous
Jul 3rd 2015
9 years ago
This should normally work with System Center Essentials (Windows 7) and Windows Defender (Windows 8+) as well.
Would be great for anybody doing IR work, if this could be built out to a small knowledge base.
Anonymous
Jul 3rd 2015
9 years ago
The reason that they all require 7-zip, is that 7-zip can extract streams from OLE files. 7-zip supports MSI files, and MSI files are OLE files.
Anonymous
Jul 3rd 2015
9 years ago
I just wanted to point out without missleading people that alternative
existed and obviously without discrediting your work.
Anonymous
Jul 3rd 2015
9 years ago
Anonymous
Jul 3rd 2015
9 years ago