20

There is a file found by antivirus program and it was put into the virus' quarantine section (its not a false positive). Now I don't know how to handle this "quarantined" files.

  1. What is the best practice and secure way to deal with them? Delete from quarantine, or let them in there?

  2. If I delete a file from the quarantine, does it mean that it goes to the "recycle bin" of the computer and is thus still existent on my PC, and could be recovered by some tools like Recuva? Or will it be gone forever?

  3. What happens if there are files in the quarantine and you accidentally uninstall the antivirus program from your PC, what happens to the files?

Anders
  • 64,406
  • 24
  • 178
  • 215
johnsmiththelird
  • 483
  • 7
  • 16
  • 3
    If you found a virus on your computer, even if it was quarantined by the antivirus program you have running, then you should probably consider your computer compromised, because you don't know what else this virus could have allowed in or done, and you don't know what other viruses could have been allowed in by the action that allowed the first virus. Best practice here is to back up the files that you need onto an external hard drive, format the hard drive that your OS is on, and reinstall. – kloddant Jan 31 '20 at 16:29
  • 2
    @kloddant: You forgot "unplug the external drive containing the preserved (and possibly infected) files, and don't unplug it until antivirus is installed and fully updated in the new environment, and then run a scan on the external drive before using any of the files thereon" It's a good idea to have external media unplugged during OS install anywhere, lest the OS installer decide that drive is the best place to create an EFI system partition (or other information used by the bootloader) – Ben Voigt Jan 31 '20 at 23:00
  • @Ben Voigt Good call. Yeah, that would definitely be for the best. – kloddant Jan 31 '20 at 23:06
  • typo in my comment above, should be "don't REplug it until" – Ben Voigt Jan 31 '20 at 23:12

2 Answers2

18

Although a lot depends on the anti-virus software, I'll try to answer your questions:

1) What is the best practice and secure way to deal with them? Delete from quarantine, or let them in there?

Do you plan to study the virus and its working? If yes, then you might want to keep it (This will require a restore of the file).

Do you think it might be a false positive? If yes, report it to your anti-virus vendor for a re-evaluation, and if it turns out to be a false positive, you can restore the file(s).

If you don't plan to do anything with the file (and don't want to restore it either), you can delete it.

2) If i delete a file from the quarantine, does it mean that it goes to the "recycle bin" of the computer and is thus still existent on my PC, and could be recovered by some tools like Recuva? Or will it be gone for ever

This largely depends on the implementation of the anti-virus. No reputable vendor would send the file to recycle bin.

Can they be recovered? Potentially yes. Even if the anti-virus program performs several iterations of deletion on that part of disk, the file could be potentially recovered using specialised techniques and tools.

3) What happens if there are files in the quarantine and you accidentally de-install the antivirus program from your PC, what happens to the files?

It should not affect your system, as the files are stored in a binary format. More details can be found here.

EDIT: As user user21820 points out in the comments, there's nothing to worry about if the file in the quarantine is deleted using multiple overwrites.

pri
  • 4,438
  • 24
  • 31
  • Hi pri thanks. And "be recovered? Potentially yes.". So should I trust the deletion function of the virus tool or do it myself, find the quarantine folder and wipe the folder myself? How can I find the path of the quarantine folder. I just think of the likelihood the virus could recover itself again back to the system. – johnsmiththelird Jan 30 '20 at 12:26
  • 1
    You can trust the deletion function of the anti-virus tool (given that it is a reputable vendor). Your anti-virus tool should tell you where it keeps the quarantined files. – pri Jan 30 '20 at 12:49
  • 2
    Please give citation for your implicit claim that, even if the anti-virus performs 10 iterations of writing random data to that part of a normal disk, the file can be potentially recovered using specialized tools. – user21820 Jan 31 '20 at 05:38
  • @user21820: I think claims like that for modern rotational media are way over-blown, and in this case I wouldn't bother to mention it at all. e.g. for getting it back after overwrites on an SSD you might need to open up the SSD and read the flash chips directly, bypassing the wear-leveling. (Or upload custom firmware that does that.) There's essentially zero risk of that happening by accident (SSD firmware bugs?), so it's not like the virus is "lurking" in unused space that could be directly read by the computer. – Peter Cordes Jan 31 '20 at 08:08
  • @PeterCordes: That's exactly why I asked for citation, because I don't believe it. Indeed, what you mentioned in your comments are among the reasons to disbelieve it. – user21820 Jan 31 '20 at 08:36
  • @user21820 Yes, I know that it's really difficult, near to impossible. That's the reason I put "potentially" and "using specialised tools and techniques". But I agree that this is not something that could happen without any targeted attack – pri Jan 31 '20 at 08:41
  • 2
    @pri: I don't even believe it is possible for a normal (rotational) hard-disk! As requested, please give citation. After 10 random overwrites, I do not believe anything can be recovered at all even if you have all the money in the world. Same for an SSD if you really overwrite that physical part of the SSD. – user21820 Jan 31 '20 at 08:45
  • 1
    @user21820 I know this will not quench your quest, but here's a link which states the probability of fetching the data after overwrite https://web.archive.org/web/20090315092550/http://sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-data The probability falls to almost zero when the number of bits to be recovered increase, but it's still there. I have also read that read/write heads don't position themselves on the exact position while overwriting, which might cause a few bits not being overwritten. I'll edit the answer to highlight that this scenario is improbable. – pri Jan 31 '20 at 10:03
  • 1
    @pri: Thank you. That is the kind of information I am looking for, and I very much appreciate your edit of your answer. As a mathematician, I have a strong preference for concrete evidence so that people can evaluate for themselves the likelihood of various scenarios and appropriate responses according to their risk tolerance. In particular, I note that your linked article states that even recovering 1 bit has only 56% likelihood for a used drive. This is what people need to know. So thanks again! =) – user21820 Jan 31 '20 at 10:15
  • @Kaddath: My use of "rant" was meant to be a parody of yours; I'm sorry I didn't know you were not a native speaker. I suspect you also misread my statement on "paranoia"; I meant that there are people who sow paranoia and fear based on exaggeration. I don't mean that pri did it, but you can see from pri's link that there is a need to present facts as accurately as reasonable, and in this case the facts give a very different impression from the original statement. So I'm completely satisfied with the information pri has provided, and we can all go our own merry ways. Hope you have a nice day! – user21820 Jan 31 '20 at 10:53
16

A computer virus is just a file, is not something that will be magically activated by itself and wreak havoc around. You can treat it just like a normal file: delete it and it's gone.

If you uninstall the AV, some will empty the quarantine directory, some not. In the event of the AV not clearing the quarantine, you will end up with a folder containing the virus file, so if you go there and delete the folder (or the file), the virus is gone.

Can it be recovered? Yes, it can. But not by itself. And it will not recover itself and activate itself.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • "a computer virus is just a file" malware can be embedded in a lot of things other than files – user371366 Jan 31 '20 at 05:05
  • 5
    @user371366: but if an AV program has quarantined it, that means it has been extracted to a file if it wasn't one already. That's the context of this answer; a non-quarantined virus *is* often something in a location that gets itself activated. So yes, that statement isn't true in the general case for non-quarantined viruses. – Peter Cordes Jan 31 '20 at 08:12
  • @user371366 like what? – ThoriumBR Jan 31 '20 at 11:55
  • 2
    @ThoriumBR Some examples that come to mind: master boot record; alternate data streams in NTFS; embedded in a user-created document or operating system executable rather than as a separate file; purely in-memory malware that disappears when the computer is restarted. – Aaron Rotenberg Jan 31 '20 at 22:18
  • Alternate data streams are components of files. A user created document is a file, OS executable is a file too. In memory malware will not go to quarantine, so it does not count. You are right about MBR, but that will not go to quarantine either. – ThoriumBR Feb 02 '20 at 02:09
  • 1
    @AaronRotenberg listed a lot of good examples. One example that's been getting a lot of hyper lately: malware that embeds itself in the firmware of internal or peripheral devices, particularly the UEFI – user371366 Feb 04 '20 at 04:42