Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What happens when my anti-malware tool quarantines something?

Question:

How does the Quarantine function by an anti-malware software works?
Specifically, when a malware is placed in quarantine, how is that malware
rendered impotent? Is the quarantine escape-proof? Other than an accidental
restoration by the user, is there any risk to leaving a malware in quarantine
indefinitely? Can a malware be released back into the PC system if the
anti-malware software somehow malfunctions? Bottom line, should we delete a
malware from quarantine as soon as we are sure it’s not a false positive?

Even though “quarantine” is a common term among anti-malware tools, there’s
actually not a consistent definition of exactly what it means. As a result, I
can’t tell you specifically what your tool – or any tool for that matter – does
when it places something in quarantine.

However, knowing a little about how malware works, and a lot about how
Windows works, I can certainly cover the concepts that probably apply in most
cases.

]]>

Quarantine

Malware being quarantined in all likelihood means this:

P1010344
  • The file identified as containing malware is moved to a folder that Windows would normally not look in – it’s not one of the standard places that Windows might look for programs to run, and it’s not referenced by other software on the machine.

  • The file is renamed. Much malware relies on the filename being similar to existing Windows files, and/or being a file type – such as “.exe” – that Windows would normally run as a program. Renaming the file removes both of those possibilities, preventing Windows from running the file, and making it obvious by it’s name that the file is in quarantine.

  • The file may also be marked as “hidden”, or (if on a file system that supports it) the permissions on it may be reset such that the file cannot be opened by normal system processes.

  • An especially sophisticated quarantine could also encrypt or encode the file so that even if it were somehow accessed it would remain meaningless.

By and large just moving the file is sufficient to remove the potential for harm. The additional steps are just that – additional steps that further ensure that the file will not be accidentally allowed to re-infect.

“By and large just moving the file)is sufficient to remove the potential for harm.”

Malware Returning from the Grave

The only way I could see malware returning from quarantine would be:

  • You explicitly, manually restored it outside of the anti-malware software. This isn’t typically easy – you’ll have meant to do this for some reason.

  • The anti-malware software itself was accidentally instructed to do so – most have a “restore” function, and it’s possible I suppose to trigger that by accident.

I’m not aware of any malicious way that malware would return from the grave, other than simply getting infected again by whatever means your machine became infected in the first place.

As a result, I don’t see a pressing need to delete malware from quarantine; it’s just not likely to come back from there.

But then again I also don’t see a reason not to. Once you have determined that the file is infected malware and not a false positive why would you want to leave the file on your machine? There’s really no point, so in practice I would do just that – delete the files from quarantine after I’m sure that it’s safe to do so.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “What happens when my anti-malware tool quarantines something?”

  1. I was using Webroots and it would not let me delete the quarantined items. I now use Mcafee, and haven’t really tried. But, in case it doesn’t, is there a way to work around it?

    It depends on why it won’t let you delete. Worst case you boot from a Linux Live CD and delete the file there, but there are risks that the file was needed for something important. As I said, it all depends on why.

    Leo
    27-Aug-2010

    Reply
  2. I have the same problem. How do you delete a file that your anti-virus wont allow you to? Also, at the moment my laptop is away having a `nasty` virus removed from it. When I expressed suprise that my Norton 360 hadn`t detected it, they said`Oh it detected it all right, but then it just quarantined it, leaving it to carry on infecting your system` Have I misunderstood what quarantining means? I didnt think so

    No idea who “they” are, but if a quarantined file can carry on infecting your system then IMO it wasn’t properly removed or quarantined.

    Leo
    27-Aug-2010

    Reply
  3. False positives are a pain. Often the only way to deal with them is to contact the anti-virus program maker.
    I had a file that I knew wasn’t malware but Avast!
    identified it as malware and quarantined it.
    It was impossible to restore it (Avast would just remove it again).
    It was a little program from a trusted source that I used frequently.
    It took an email to Avast! along with providing them with info about the program and it’s source to fix this situation.
    Avast!, after considering the info I supplied them
    released an update later that day exempting that particular program, letting me reinstall it.

    It took interacting with a human to rectify this situation.

    Reply
  4. Typo Alert: Leo wrote:

    “The file identified as containing malware is moved to a folder that Windows would normally not look in – it’s one of the standard places that Windows might look for programs to run, and it’s not referenced by other software on the machine.”

    Just to point it out, Leo, in the text quoted above, I do believe when you said “it’s one“, that you actually meant to say “it’s not one“.

    Please be more careful! :)

    I try! Fixed… thanks for pointing it out.

    Leo
    27-Aug-2010

    Reply
  5. Mark Dales asked:

    Why quarantine at all? Why not just nuke the offending files?

    Because God forbid the file in question should not only be not a virus, but actually be genuinely needed! That is why the better antivirus programs will quarantine rather than nuke — it gives the user a way to retrieve innocuous and/or needed files erroneously marked as dangerous.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.