Anti-virus software (AV software) is a type of computer software that tries to identify malicious software and to prevent it from running. Since anti-virus software may wrongfully identify harmless files as malicious (false positives), AV software makes use of quarantining files. If a file is put into quarantine by an AV software, the AV software removes the original suspected malicious file and stores a modified obfuscated version in another location.
In this paper, the quarantine files of different AV software solutions were analyzed. The encryption and obfuscation methods were documented (including encryption keys) and parsers created using Kaitai Struct.
Get the latest news about technical topics within the IT-Security Community and a lot of special insights. Sign up now for our Newsletter at ernw.de:
When you’re analyzing web applications as a pentester or reading pentest reports about web applications, you will often see findings regarding cookies missing certain security flags. The Set-Cookie HTTP header and the JavaScript document.cookie API allow to use, for example, the flags Secure, Path, and Domain. Common audit and pentest tools will tell you when your web application does […]
We recently conducted a security assessment of VMware Carbon Black Cloud, a unified SaaS solution that integrates endpoint detection and response (EDR), anti-virus, and vulnerability management capabilities. As part of our evaluation, we tested the solution’s ability to detect and prevent malicious activity on Windows and Linux systems. Our analysis focused on the Carbon Black […]
As part of our research into the Auracast feature set in Bluetooth, we also started looking into vendor implementations. At the time we started with our research, there weren’t a lot of products on the market yet. But new products are coming out pretty frequently now. One of the vendors that had Auracast implemented pretty […]
Recently, one of our customers contacted us to investigate the extent of some unwanted and unexpected behavior regarding browsing data of employees. Employees started contacting IT support because private browser bookmarks, private login credentials etc. showed up on their work machines. All affected employees stated that they never created these bookmarks on work systems. And […]
In a recent incident response project, we had the chance to virtually look over the attackers’ shoulder and observe their activities. The attackers used the Remote Desktop Protocol (RDP) for lateral movement within the compromized environment and beyond (MITRE techniques T1570, T1021). As a matter of fact, RDP creates cache files that contain tiles of […]