How does the Quarantine function by an anti-malware software works?
Specifically, when a malware is placed in quarantine, how is that malware
rendered impotent? Is the quarantine escape-proof? Other than an accidental
restoration by the user, is there any risk to leaving a malware in quarantine
indefinitely? Can a malware be released back into the PC system if the
anti-malware software somehow malfunctions? Bottom line, should we delete a
malware from quarantine as soon as we are sure it’s not a false positive?
Even though “quarantine” is a common term among anti-malware tools, there’s
actually not a consistent definition of exactly what it means. As a result, I
can’t tell you specifically what your tool – or any tool for that matter – does
when it places something in quarantine.
However, knowing a little about how malware works, and a lot about how
Windows works, I can certainly cover the concepts that probably apply in most
Malware being quarantined in all likelihood means this:
The file identified as containing malware is moved to a folder that Windows would normally not look in – it’s not one of the standard places that Windows might look for programs to run, and it’s not referenced by other software on the machine.
The file is renamed. Much malware relies on the filename being similar to existing Windows files, and/or being a file type – such as “.exe” – that Windows would normally run as a program. Renaming the file removes both of those possibilities, preventing Windows from running the file, and making it obvious by it’s name that the file is in quarantine.
The file may also be marked as “hidden”, or (if on a file system that supports it) the permissions on it may be reset such that the file cannot be opened by normal system processes.
An especially sophisticated quarantine could also encrypt or encode the file so that even if it were somehow accessed it would remain meaningless.
By and large just moving the file is sufficient to remove the potential for harm. The additional steps are just that – additional steps that further ensure that the file will not be accidentally allowed to re-infect.
Malware Returning from the Grave
The only way I could see malware returning from quarantine would be:
You explicitly, manually restored it outside of the anti-malware software. This isn’t typically easy – you’ll have meant to do this for some reason.
The anti-malware software itself was accidentally instructed to do so – most have a “restore” function, and it’s possible I suppose to trigger that by accident.
I’m not aware of any malicious way that malware would return from the grave, other than simply getting infected again by whatever means your machine became infected in the first place.
As a result, I don’t see a pressing need to delete malware from quarantine; it’s just not likely to come back from there.
But then again I also don’t see a reason not to. Once you have determined that the file is infected malware and not a false positive why would you want to leave the file on your machine? There’s really no point, so in practice I would do just that – delete the files from quarantine after I’m sure that it’s safe to do so.