0

I'm working on a documentation of an IT system and I want to describe what is happening, when McAfee finds and quarantines a suspicious file. I have read the many questions on quarantining, but all the answers given, talk about quarantine in general and do not mention the functionality of a given software. I also read through some bit of McAfee documentation and searched online, but couldn't find a proper description so far.

I'm interested in client and/or server based software. I guess the functionalities should be the same.

To be clear, I'm interested in the specific processes that are initiated when a file is quarantined. If a file is encrypted, what algorithm is used. If a file is isolated, how is that done. The whole shebang.

If there is no answer to the question in the title, it would be nice to know, if basically all AV software uses the same mechanisms when quarantining a file. (But still, which ones exactly.)

Anders
  • 64,406
  • 24
  • 178
  • 215
Tom K.
  • 7,913
  • 3
  • 30
  • 53

1 Answers1

3

See here - https://kc.mcafee.com/corporate/index?page=content&id=KB72755&pmv=print

Quarantined files (.BUP format) are an archive file containing two files - the quarantined file "file_0" and a details file containing the original file name / location.

Both have their data xor'd with the key 0X6A.

When quarantining McAfee will kill the running process then xor/archive the file to ensure it cannot be executed (without knowledge of the McAfee archieve process).

Hector
  • 10,893
  • 3
  • 41
  • 44
  • 1. It seems that this resource is from 2011. 2. This is not really specific. My question is about the specific processes that are initiated when a file is quarantined. – Tom K. Nov 08 '17 at 15:03
  • Updated the answer with a source from 2016. The process appears not to have changed since at least 2010. Which makes sense - the only time there would ever be a reason to change it would be if there was evidence of malware capable of reversing it. – Hector Nov 08 '17 at 15:13
  • @Tom - I also query why you are documenting to this level. Antivirus normally automatically updates itself. Documenting implementation details like this becomes out of date / wrong fast and achieves next to nothing. – Hector Nov 08 '17 at 15:21
  • Thanks, this was helpful, although it does not explain how the files are isolated. Your search skills are obviously far superior than mine. ;) On why I document this: One reason is, that it is interesting for us, because we want to identify possible attack vectors. For instance: To me it seems not particularly helpful that the encryption key is public. But this is a bit too complex to go further into. – Tom K. Nov 08 '17 at 15:37
  • @Tom - Zipping and xoring them does isolate them. They are moved to a format the system does not understand - so cannot be executed. Also not publishing the encryption key wouldn't help - It has to be stored somewhere in a readable format for McAfee to use it. If you have knowledge of McAfee and can get a process running as admin/root you have full control of the system - whether AV is present or not. AVs primary purpose is to stop the process ever executing in the first place. – Hector Nov 08 '17 at 15:41
  • Ah, okay. True. When I read 'isolating', I was thinking of some form of sandbox or some other way to cut the quarantine folder off for other software. About the key: my thoughts were going into another direction. Let's say a malicious user managed to get a virus onto one or several machine(s). S/he has no admin/root privileges. S/he wouldn't be able to start McAfee or use the QM, but would maybe be able to decrypt the file if it is quarantined. This is rather theoretical (*and off topic*), but it's possible. And these are the things we are looking at. :) – Tom K. Nov 08 '17 at 15:53
  • @Tom - The files will almost certainly only have read/write permission for the mcafee service user. But if you have admin/root or system you can give it to yourself - hence why admin is end game. Also worth noting in theory the moment the file is decrypted it should be picked up and re-quarantined by McAfee. – Hector Nov 08 '17 at 15:57