Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Getting viruses out of the AVG virus vault

Published: 2006-02-19
Last Updated: 2006-02-19 20:37:17 UTC
by donald smith (Version: 1)
0 comment(s)
Recently, I needed to explain to someone how to get a virus out of the virus valult included in the free version of AVG anti-virus for submittal so I could analysis it. For additional information on the free version of avg try their forum http://forum.grisoft.cz/

Here are the steps I documented.
I loaded a test virus named eicar on my system to work out the details.Its not really a virus. It will not spread, infect or damage your computer. Rather its a string that nearly every antivirus product recognize as a virus.
More information on eicar is available here: http://www.eicar.org/anti_virus_test_file.htm

This process includes disabling portions of your antivirus software. Don't forget to reenable it and I would recommend you disconnect from ALL networks while your av scanner is disabled.
AVG's virus vault is located in a hidden folder at the "top" of the C drive.
Its called C:\$VAULT$.AVG.


Steps to export viruses from the AVG vault for analysis.

 1: Create a directory to store the files in.
 2: Open avg.
 3: Select the virus vault.
 4: Click on the virus you wish to restore.
 5: Choose restore, that will prompt you for the directory to restore the virus into.
 6: Select the directory created in step 1
 7: avg will alert again if its in active monitoring mode. choose continue.
 8: Turn off avg resident shield protection if you plan to package the viruses up for submittal for malware analysis.
 
9: Select the AVG resident shield and unselect "turn on avg resident shield protection", Click apply.
     Remember to turn resident shield back on as soon as your done with the virus.

 Steps to package up a directory of infected files for submittal malware analysis.

 
1: open winzip
     If its not installed you can get a 45 day trial version here http://www.winzip.com/.
     If you use it more then 45 days please pay for it.
     I wrote these directions assuming you will choose classic winzip not the wizard during installation.
 2: Select new
 3: Select a filename and location. C:\bad is the one I used. This is where the zip file will be created.
 4: In the options portion select the box that says encrypt added files.
 5: In the "look in" bar go to the directory you saved the virus in (infected).
 6: Type a password. You will have to verify it. Any encryption is usually acceptable. "infected" is the
     most commonly used password for anti-virus vendors and malware analysis professionals.

Keywords:
0 comment(s)
Diary Archives