1

What is the quarantine of antivirus software? Is it just some strict user/group rights and changing file extension or is it an actual moving the file(s) to a virtual environment?

How is this software preventing a virus from executing or breaking out of such a sandbox/quarantine?

Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
  • 1
    I know it's not an exact match for the question, but I think the accepted answer is exactly what you're asking about – Neil Smithline Jul 07 '16 at 20:32
  • 1
    Also related, for the same reasons: [Can AV software make sure quarantined files never get executed?](https://security.stackexchange.com/q/129097/32746) – WhiteWinterWolf Jul 07 '16 at 20:58

1 Answers1

2

Many AV function the same way but may have different specific mechanisms of action. In general they work like this:

When MBAM removes an item such as a file or a Registry entry and "quarantines" the item, it is removed from its original location and stored in a protected container. Both the removed item and it location are stored in the container in a way that the file is rendered inert and the location of where it was removed from is also restored. Thus if it is deemed to be a False Positive declaration, the item removed (file or Registry entry) can be restored to its original and working state. If however the item(s) are deemed to be justly removed for malicious activity, the quarantine can be "dumped" such that can not be restored and the container no longer holds any more quarantined items or you can choose to be selective on what is dumped from quarantine.

SOURCE

There is also another post on the InfoSec SE that has some additional info:

In most anti-virus programs, the quarantine files are stored in internal binary formats. Since there is no physical connection between the infector file to your system (your anti-virus program works as the storage format is also a plus point), it is not dangerous.

HashHazard
  • 5,145
  • 1
  • 19
  • 29