4

MalwareBytes has the ability to quarantine or to quote MB:

At that time, they were removed from the disk location where they were stored, placed in quarantine, and modified so that they could not pose a threat to your computer.

  1. What exactly does MalwareBytes do so that a file "could not pose a threat"? What I'm looking for are the technical details of how it's done.
  2. Is it possible for malware to indicate to MalwareBytes that it's quarantined when in fact it isn't?
  • 3
    While I don't know exactly how MalwareBytes does it, AV usually quarantines by encoding the file, simply by reversibly converting it into a format which cannot be executed by accident. It's no more sophisticated than that. Think of it like putting it in a zip, but instead of a format that is widely supported, it's a format specific to the AV. [This answer](https://security.stackexchange.com/a/120050/165253) explains how it's done by Kaspersky. See also [here](https://security.stackexchange.com/q/129097/165253) and [here](https://security.stackexchange.com/q/64443/165253) for more information. – forest Jun 15 '18 at 03:06

2 Answers2

1

To extend the answer of Can malware be dangerous even when quarantined?

AV quarantine is served as :

  1. Audit zone : let user to audit to decide whether to send the potential malicious file to AV company for further inspection. You shouldn't send a infected document if you think the document itself contains some sensitive data.

  2. False positive does happens, you can recover the file from quarantine and may choose to report false positive or add the file to the exception list inside AV.

  3. It is packed & encrypted in non-executable format and inaccessible for all uncompressed tools. So this will prevent an redundant detection and also abuse by malware. Nevertheless, depends on AV implementation, the quarantined folder should not be "exception safe haven" for malware (if they discover it) to hide the payload.

mootmoot
  • 2,387
  • 10
  • 16
0

To pick up where Forest left off with this one - Malwarebytes will move the suspected/infected file from its current location and then store it in a new location they call a "protected container" e.g quarantine. It is stored in such a way that the file can no longer be executed, this is typically done through the method Forest described. [1]

MB has a "dumping" feature if you dump a file in the quarantined items then it will no longer be at all restorable and you would have to re-install if you wanted the file back as once you dump it, it's completely destroyed. All files from the quarantine can be moved back to your system if you wish, just not dumped files.

In regards to your second question, no it wouldn't be possible. A quarantine is a separate file location that MB will move the files to, I tried Googling for any kind of case in which a virus made itself appear to be moved into the quarantine location, however, I couldn't find anything. The problem here is once the file is moved there, it cannot be used it has to be taken back out of the location for the file to be executable again.

1 - I had a look on the specifics of how Malwarebytes obfuscates their quarantined files, however, I couldn't find any resources or comments on it.