How does the Quarantine function by an anti-malware software works?
Specifically, when a malware is placed in quarantine, how is that malware
rendered impotent? Is the quarantine escape-proof? Other than an accidental
restoration by the user, is there any risk to leaving a malware in quarantine
indefinitely? Can a malware be released back into the PC system if the
anti-malware software somehow malfunctions? Bottom line, should we delete a
malware from quarantine as soon as we are sure it’s not a false positive?
Even though “quarantine” is a common term among anti-malware tools, there’s
actually not a consistent definition of exactly what it means. As a result, I
can’t tell you specifically what your tool – or any tool for that matter – does
when it places something in quarantine.
However, knowing a little about how malware works, and a lot about how
Windows works, I can certainly cover the concepts that probably apply in most
cases.
]]>
Quarantine
Malware being quarantined in all likelihood means this:
-
The file identified as containing malware is moved to a folder that Windows would normally not look in – it’s not one of the standard places that Windows might look for programs to run, and it’s not referenced by other software on the machine.
-
The file is renamed. Much malware relies on the filename being similar to existing Windows files, and/or being a file type – such as “.exe” – that Windows would normally run as a program. Renaming the file removes both of those possibilities, preventing Windows from running the file, and making it obvious by it’s name that the file is in quarantine.
-
The file may also be marked as “hidden”, or (if on a file system that supports it) the permissions on it may be reset such that the file cannot be opened by normal system processes.
-
An especially sophisticated quarantine could also encrypt or encode the file so that even if it were somehow accessed it would remain meaningless.
By and large just moving the file is sufficient to remove the potential for harm. The additional steps are just that – additional steps that further ensure that the file will not be accidentally allowed to re-infect.
Malware Returning from the Grave
The only way I could see malware returning from quarantine would be:
-
You explicitly, manually restored it outside of the anti-malware software. This isn’t typically easy – you’ll have meant to do this for some reason.
-
The anti-malware software itself was accidentally instructed to do so – most have a “restore” function, and it’s possible I suppose to trigger that by accident.
I’m not aware of any malicious way that malware would return from the grave, other than simply getting infected again by whatever means your machine became infected in the first place.
As a result, I don’t see a pressing need to delete malware from quarantine; it’s just not likely to come back from there.
But then again I also don’t see a reason not to. Once you have determined that the file is infected malware and not a false positive why would you want to leave the file on your machine? There’s really no point, so in practice I would do just that – delete the files from quarantine after I’m sure that it’s safe to do so.
I was using Webroots and it would not let me delete the quarantined items. I now use Mcafee, and haven’t really tried. But, in case it doesn’t, is there a way to work around it?
27-Aug-2010
Why quarantine at all? Why not just nuke the offending files?
I have the same problem. How do you delete a file that your anti-virus wont allow you to? Also, at the moment my laptop is away having a `nasty` virus removed from it. When I expressed suprise that my Norton 360 hadn`t detected it, they said`Oh it detected it all right, but then it just quarantined it, leaving it to carry on infecting your system` Have I misunderstood what quarantining means? I didnt think so
27-Aug-2010
False positives are a pain. Often the only way to deal with them is to contact the anti-virus program maker.
I had a file that I knew wasn’t malware but Avast!
identified it as malware and quarantined it.
It was impossible to restore it (Avast would just remove it again).
It was a little program from a trusted source that I used frequently.
It took an email to Avast! along with providing them with info about the program and it’s source to fix this situation.
Avast!, after considering the info I supplied them
released an update later that day exempting that particular program, letting me reinstall it.
It took interacting with a human to rectify this situation.
Typo Alert: Leo wrote:
Just to point it out, Leo, in the text quoted above, I do believe when you said “it’s one“, that you actually meant to say “it’s not one“.
Please be more careful! :)
27-Aug-2010
Mark Dales asked:
Because God forbid the file in question should not only be not a virus, but actually be genuinely needed! That is why the better antivirus programs will quarantine rather than nuke — it gives the user a way to retrieve innocuous and/or needed files erroneously marked as dangerous.