Publications

Fill 4

ERNW White Paper 71

Analysis of Anti-Virus Software Quarantine Files

Anti-virus software (AV software) is a type of computer software that tries to identify malicious software and to prevent it from running. Since anti-virus software may wrongfully identify harmless files as malicious (false positives), AV software makes use of quarantining files. If a file is put into quarantine by an AV software, the AV software removes the original suspected malicious file and stores a modified obfuscated version in another location.

In this paper, the quarantine files of different AV software solutions were analyzed. The encryption and obfuscation methods were documented (including encryption keys) and parsers created using Kaitai Struct.



Newsletter sign up

Get the latest news about technical topics within the IT-Security Community and a lot of special insights. Sign up now for our Newsletter at ernw.de:


Talks and Conferences arround the world


September 08, 2025

Disclosure: Authentication Bypass in VERTIV Avocent AutoView (Version 2.10.0.0.4736)

The VERTIV Avocent AutoView switches are analog keyboard, video, and mouse (KVM) switches used in data center servers. They also expose a web server in the network, which allows for some configuration. During a penetration test for a customer, a device of this type was identified in the infrastructure and analyzed, revealing an authentication bypass […]

September 02, 2025

Vulnerability Disclosure: Stealing Emails via Prompt Injections

With the rise of AI assistance features in an increasing number of products, we have begun to focus some of our research efforts on refining our internal detection and testing guidelines for LLMs by taking a brief look at the new AI integrations we discover. Alongside the rise of applications with LLM integrations, an increasing […]

August 29, 2025

Windows Hello for Business – Faceplant: Planting Biometric Templates

We are back from Black Hat USA, where we presented our research on Windows Hello for Business (Slides) once more. In the last two blog posts, we have discussed the architecture of WHfB and past attacks, as well as how the database works and how to swap identities in the database.

August 14, 2025

#TROOPERS25 AD & Entra ID Security Track

The #TROOPERS25 ‘AD & Entra ID Security’ track was a blast – as was the whole conference 😉 –  bringing together some of the smartest researchers in the field and a great audience of practitioners willing to share their experiences during the roundtable. The slides of the talks have been released in the interim on […]

July 28, 2025

Setting up Secure Boot on Gentoo Linux

The purpose of this blog post is to explain how Secure Boot works. In particular, we will explain where current implementations of Secure Boot by Linux distributors fall short compared to Microsoft Windows and Apple macOS. Major distributors like Canonical, Debian, openSUSE, and Red Hat place a high priority on making their operating systems work […]

ERNW Research ERNW Research articles on our company blog