We were recently requested to analyse a sample that was quarantined by GFI Cloud anti-virus. Based on our previous experiences with various anti-virus products we wanted to obtain the sample directly from the quarantine rather than restoring it first. Anti-virus products use quarantine files to safely store files that were detected as being malicious and thus are deleted (or cleaned). Usually, the content of the original (malicious) files is encoded before these are stored in a quarantine file.
These quarantine files are in the first place useful to restore files that were falsely detected as being malicious. From an analyst point of view, these quarantine files are particularly handy to determine if the file is indeed malicious or if it was erroneously quarantined.
When analysing a file that was detected and quarantined by anti-virus, we have found it to be preferable to try to extract the file directly from the quarantine file rather than through the anti-virus management console for three main reasons:
- Restoring the quarantine file via the anti-virus management console could expose us to the risk of inadvertently opening the potentially malicious file;
- Some anti-virus products will no longer protect us against a file restored from quarantine, therefor it is best only to restore false positives;
- The restoring operation through the anti-virus software could also destroy metadata that is created on the quarantined file.
Additionally, malware analysts are typically not the people who would also administer the anti-virus solution. Grabbing these files directly from the quarantine allows the authorised administrators to safely provide potential malicious files to the malware analysts.
GFI Cloud anti-virus quarantine files are stored inside the following folders:
C:\ProgramData\GFI Software\AntiMalware\Quarantine C:\Users\All Users\GFI Software\AntiMalware\Quarantine
For each quarantined file, 2 files are created in the with the following structure:
The first file is an XML file containing metadata, such as the MD5 hash of the quarantined file and the original name and location of the file:
The second file contains the encoded, quarantined file (this file is referenced in the XML file):
The encoding used in this quarantine file is simple: each byte is XORed with value 0x33:
When a quarantined file is restored via the GFI management console, the 2 corresponding quarantine files .xml and _ENC2 are deleted and the original file is restored.
Concluding, when you are asked to analyse a sample that has been quarantined by an anti-virus product, we recommend to use the quarantine files directly for analysis, rather than restoring the quarantined file through the anti-virus management console. Using the metadata file you can easily grab the MD5 hash of the sample, and look it up on scanning services like VirusTotal. If the file can not be found there, then decode the _ENC2 file and start analysing it in a malware lab.