0

When security tools quarantine files, why do they tend to use encryption, rather than simple file corruption?

The main goal of quarantining a file is to make it impossible to run on a system. This particular goal is easily accomplishable by simple file corruption, for example, changing the file's extension and adding 64 bytes. It makes the file impossible to run and it's much more light operation than encrypting the whole content of it.

What are the benefits of encryption, over corruption and why is it the preferred way of quarantine.

pepperoni
  • 1
  • 1
  • You speak as though quarantines routinely encrypt the files. Is this common or is it just in the tool you are using? – schroeder Aug 03 '21 at 09:03
  • Also, why corruption, specifically? Why waste disk space and not delete entirely? – schroeder Aug 03 '21 at 09:05
  • "It makes the file impossible to run" -- are you sure? This is not always the case. It could simply introduce unexpected behavior. I think you have some assumptions about how adding bytes would work. – schroeder Aug 03 '21 at 09:08

1 Answers1

2

In the case of a false positive, you want the operation to be reversible. It may also be useful for forensics to be able to analyze the original sample if it was correctly quarantined but proved to be a new strain with different behavior than earlier samples.

tripleee
  • 222
  • 3
  • 10
  • Simple operations, like changing extensions and adding arbitrary bytes are reversible. – pepperoni Aug 03 '21 at 08:20
  • 1
    But also ineffective (changing file name) or error-prone and wasteful (adding unrelated bytes). – tripleee Aug 03 '21 at 08:22
  • While the antivirus will try to corrupt the file, the antivirus itself is also meddling with a potential malicious file which can have adverse results. It is better to encrypt and quarantine and leave it to the user for manual verification of the file. – Bilal Ahmad Aug 03 '21 at 08:48