Anti-virus software (AV software) is a type of computer software that tries to identify malicious software and to prevent it from running. Since anti-virus software may wrongfully identify harmless files as malicious (false positives), AV software makes use of quarantining files. If a file is put into quarantine by an AV software, the AV software removes the original suspected malicious file and stores a modified obfuscated version in another location.
In this paper, the quarantine files of different AV software solutions were analyzed. The encryption and obfuscation methods were documented (including encryption keys) and parsers created using Kaitai Struct.
Get the latest news about technical topics within the IT-Security Community and a lot of special insights. Sign up now for our Newsletter at ernw.de:
Three weeks ago, I attended MCTTP 2025 in Munich, organized by Vogel IT and curated by the fine folks Florian Hansemann, Dr. Marc Maisch, and Florian Oelmaier. Awesome event with some very cool talks, and great conversations over dinner and most notably at the Oktoberfest on Saturday (thanks again for that special trip, Flo!). I had […]
Today we are releasing a new white paper that delivers a technical analysis of security weaknesses discovered in WinpMem, an open-source Windows memory acquisition driver widely used in digital forensics.
The VERTIV Avocent AutoView switches are analog keyboard, video, and mouse (KVM) switches used in data center servers. They also expose a web server in the network, which allows for some configuration. During a penetration test for a customer, a device of this type was identified in the infrastructure and analyzed, revealing an authentication bypass […]
With the rise of AI assistance features in an increasing number of products, we have begun to focus some of our research efforts on refining our internal detection and testing guidelines for LLMs by taking a brief look at the new AI integrations we discover. Alongside the rise of applications with LLM integrations, an increasing […]
We are back from Black Hat USA, where we presented our research on Windows Hello for Business (Slides) once more. In the last two blog posts, we have discussed the architecture of WHfB and past attacks, as well as how the database works and how to swap identities in the database.