Publications

Fill 4

ERNW White Paper 71

Analysis of Anti-Virus Software Quarantine Files

Anti-virus software (AV software) is a type of computer software that tries to identify malicious software and to prevent it from running. Since anti-virus software may wrongfully identify harmless files as malicious (false positives), AV software makes use of quarantining files. If a file is put into quarantine by an AV software, the AV software removes the original suspected malicious file and stores a modified obfuscated version in another location.

In this paper, the quarantine files of different AV software solutions were analyzed. The encryption and obfuscation methods were documented (including encryption keys) and parsers created using Kaitai Struct.



Newsletter sign up

Get the latest news about technical topics within the IT-Security Community and a lot of special insights. Sign up now for our Newsletter at ernw.de:


Talks and Conferences arround the world


September 12, 2023

Breaking DPD Parcel Tracking

This blog post is the continuation of our parcel research. We already reported about how we broke parcel tracking at DHL and the disclosure process of the identified problems. As DHL is not the only parcel service in Germany, we also investigated the other available parcel services. In this blog post, we want to talk […]

September 06, 2023

Identification of (malicious) modifications in memory-mapped image files

I’m happy to announce the publication of the paper Windows memory forensics: Identification of (malicious) modifications in memory-mapped image files at this years DFRWS USA, and the release of the corresponding volatility plugin. With this research came also an update to the Ptenum family (affecting especially the ptemalfind plugin), which makes the plugins reliable in […]

August 02, 2023

Select * from OpenStack – A Steampipe Plugin for OpenStack

Although, more and more companies start to move their IT-Infrastructure from on-premise to public cloud solutions like Amazon Web Services (AWS) and Microsoft Azure, public cloud providers are not an option for every organization. This is where private cloud platforms come into play as they give organizations direct control over their information, can be more […]

July 11, 2023

All your parcel are belong to us – Talk at Troopers 2023

At Troopers 2023, we gave a talk on how to attack DHL parcel tracking information based on OSINT. Since we previously had an exemplary disclosure process about this attack with DHL, Mr. Kiehne (from DHL) joined us to provide interesting background information and insights on how they addressed our findings.

June 21, 2023

The DRACO Stream Cipher

In symmetric-key cryptography, we typically distinguish two types of encryption schemes: block ciphers and stream ciphers. Block ciphers divide a plaintext into blocks of a fixed size (e.g., 64 or 128 bits) and encrypt one such block of data as a whole. Stream ciphers, on the other hand, consider the plaintext as a continuous stream […]

ERNW Research ERNW Research articles on our company blog