Fill 4

ERNW White Paper 71

Analysis of Anti-Virus Software Quarantine Files

Anti-virus software (AV software) is a type of computer software that tries to identify malicious software and to prevent it from running. Since anti-virus software may wrongfully identify harmless files as malicious (false positives), AV software makes use of quarantining files. If a file is put into quarantine by an AV software, the AV software removes the original suspected malicious file and stores a modified obfuscated version in another location.

In this paper, the quarantine files of different AV software solutions were analyzed. The encryption and obfuscation methods were documented (including encryption keys) and parsers created using Kaitai Struct.

Newsletter sign up

Get the latest news about technical topics within the IT-Security Community and a lot of special insights. Sign up now for our Newsletter at

Talks and Conferences arround the world

June 21, 2024

BMBF UNCOVER – Monitoring von Sicherheitsvorfällen in Fahrzeugen

English Abstract For the realization and introduction of autonomous vehicles, the safe interaction of functions, systems and services as well as their monitoring over the entire product life cycle is essential. An exclusive security-by-design approach is no longer sufficient and must be continuously supported by feedback obtained from in-the-wild operation. This is where the recently […]

June 14, 2024

TROOPERS24 Agenda Preview: Active Directory & Entra ID Security Track

Hi, are you curious about the agenda of the Active Directory- & Entra ID security track at TROOPERS24? Here’s a sneak peak of the already published tracks:

May 22, 2024

Security Advisory: Achieving PHP Code Execution in ILIAS eLearning LMS before v7.30/v8.11/v9.1

During my Bachelor’s thesis, I identified several XSS vulnerabilities and a PHP Code Execution vulnerability via an insecure file upload in the learning management system (LMS) ILIAS. The XSS vulnerability can be chained with the code execution vulnerability so that attackers with tutor privileges in at least one course can perform this exploit chain.

May 14, 2024

Linux Character Devices: Exploring systemd-run and pkexec

In this blog post, we quickly look into issues involving character devices. As is typical for Linux, everything is a file, so character devices are referenced as files, such as pseudo terminals (pts) under /dev/pts/. man pty briefly introduces the topic. Essentially, it is used to connect a program, such as a terminal emulator, to […]

May 03, 2024

Is Google Play Protect a Reliable Defense Mechanism?

Google Play Protect is a built-in Android solution that enhances devices’ security. Its main job is to detect and block malware on Android devices. Several malware families were known for bypassing Play Protect checks in recent years. This brings us to an important question: “Is Google Play Protect a Reliable Defense Mechanism?”. This blog post […]

ERNW Research ERNW Research articles on our company blog