Publications

Fill 4

ERNW White Paper 71

Analysis of Anti-Virus Software Quarantine Files

Anti-virus software (AV software) is a type of computer software that tries to identify malicious software and to prevent it from running. Since anti-virus software may wrongfully identify harmless files as malicious (false positives), AV software makes use of quarantining files. If a file is put into quarantine by an AV software, the AV software removes the original suspected malicious file and stores a modified obfuscated version in another location.

In this paper, the quarantine files of different AV software solutions were analyzed. The encryption and obfuscation methods were documented (including encryption keys) and parsers created using Kaitai Struct.



Newsletter sign up

Get the latest news about technical topics within the IT-Security Community and a lot of special insights. Sign up now for our Newsletter at ernw.de:


Talks and Conferences arround the world


September 09, 2024

Announcement: Progress / Kemp LoadMaster CVE-2024-7591

Hey everybody, during a recent Red Teaming engagement Marius Walter from ERNW found a command injection issue in Progress (Kemp) LoadMaster. It was registered as CVE-2024-7591 and scores a CVSS of 10.0. The vendor already has patches out, make sure to apply them as this is a high severe issue. You can find the official […]

September 03, 2024

Disclosure: Potential Limitations of Apple ADE in Corporate Usage Scenarios

Apple Automated Device Enrollment (ADE) is presented as a way to automate and simplify the enrollment process of Apple devices within Mobile Device Management (MDE) solutions. This blog post is aimed at organizations currently planning or even already using this feature and making you, the reader, aware of potential limitations of this process that might […]

August 20, 2024

CrowdStrike: What is the worldwide BSOD all about?

This article is about the massive BSOD triggered by CrowdStrike worldwide on July 19. Analysis and information from CrowdStrike or other sources are regularly published, completing what is expressed here. Updates may also be provided in the future.

August 09, 2024

Disclosure: Apple ADE – Network Based Provisioning Bypass

Mobile Device Management (MDM) solutions are used to centrally manage mobile devices in corporate environments. This includes the monitoring of the device, automatic installation/removal of apps or certificates and restrict the functionality. Even though MDM solutions exist for multiple vendors, we will look specifically on Apple devices enrolled via Intune. When an Apple device is […]

June 21, 2024

BMBF UNCOVER – Monitoring von Sicherheitsvorfällen in Fahrzeugen

English Abstract For the realization and introduction of autonomous vehicles, the safe interaction of functions, systems and services as well as their monitoring over the entire product life cycle is essential. An exclusive security-by-design approach is no longer sufficient and must be continuously supported by feedback obtained from in-the-wild operation. This is where the recently […]

ERNW Research ERNW Research articles on our company blog