40

I am reading a book on network security and when talking about user confusion it writes:

"It is not uncommon for a user to be asked security questions such as Is it safe to quarantine this attachment? With little or no direction, users are inclined to provide answers to questions without understanding the security risks."

Could someone please tell me, a confused user, what are the dangers of quarantining an attachment? My understanding is that a file in quarantine cannot interact with the OS in any way, thus it isn't a security risk but we also cannot analyze it to see if it is a virus.

Anders
  • 65,052
  • 24
  • 180
  • 218
Peter Horniak
  • 503
  • 1
  • 4
  • 5
  • perhaps an old question of mine is relevant in one way or another, anyway i hope the answers there help http://superuser.com/questions/632067/is-it-possible-to-safely-contain-a-virus-not-letting-it-spread – Lynob Aug 02 '14 at 19:05

6 Answers6

56

No

Quarantine is nothing but a place to store the infected/suspicious files. When you quarantine a file it is deleted from the actual place and moved to the quarantine location (to the path that your anti-virus program has for them).

This is something like keeping a zombie inside a jail. Obviously it is not a threat as long as you don't open the cage.

In most anti-virus programs, the quarantine files are stored in internal binary formats. Since there is no physical connection between the infector file to your system (your anti-virus program works as the storage format is also a plus point), it is not dangerous.

Analyzing:

Regarding analyzing an infected file, yes it is not possible after quarantine. If you want to do that, you either try disinfecting it or restoring it to its original place (you have to disable your anti-virus program to do this and this is the place where you are opening the cage) and then analyze it. But remember the zombie might eat you up (unless you are good with shotguns)! So it is at your own risk.

Why not just send the infected/suspicious files to the anti-virus program team? They might give you a better picture after inspecting it with their updated virus signatures.

Bottom line: A quarantined file is not dangerous. But analyzing them yourself might be.

Peter Mortensen
  • 885
  • 5
  • 10
Ebenezar John Paul
  • 2,894
  • 15
  • 23
14

I think the authors real point is not the safety of a file once quarantined but rather what happens if the user says "no"? Does the system leave it where it is - a potentially big risk, or does it erase it - a potentially big risk. Without knowing what action will be taken if you don't quarantine, or indeed without explaining what quarantine means, the user is faced with a question they must answer to progress. However they do not have the information required to make an informed decision. What happens...they roll the dice and guess.

Andy Boura
  • 759
  • 3
  • 10
5

So, users are asked a pretty tough question: Do you want this file or do you want to be safe? It's not even a matter of informed decisions, here... Users don't have a degree in computer science and currently don't have the tools to stay secure.

Users don't have time and effort to waste for informed decisions. This point has been debated over and over again. If the file is unsafe it should be quarantined automatically, and an option to "Recover the malware" provided, instead of the user having to either waste their time thinking about it or spare their time and make a quasi-random decision.

There is a very similar example: how the Google Chrome Security team redefined the user experience of Chrome malware recovery warnings. They made it harder for the user to do the unsafe thing, by increasing the interaction cost of it and increasing the feeling of doing something dangerous.

Steve Dodier-Lazaro
  • 6,828
  • 29
  • 45
4

What are the dangers of sending a file to quarantine?

There is a slight possibility that the malware scanner falsely tags a valid system file as infected. Sending that file to quarantine could render your system unusable until the file is restored. This has happened on occasion with some major vendors of antivirus for a specific release of definitions. While quickly adjusted, the default actions had made systems unbootable.

SrJoven
  • 151
  • 4
4

The idea of having the "quarantine" option when an antivirus detects an infected file is to avoid false positives. If by chance the antivirus software wrongly flags a file as "bad" when the file is actually something you need, like a critical program (for example Explorer.exe in Windows) such that deleting it might cause the computer to stop working, quarantine allows it to simply restore it back.

Anything in quarantine is safely segregated from the rest of your computer, it cannot run from there, so it can do no harm. So the general advice is to put the infected files in quarantine for a while you go about your normal computer activities. If everything continues to run properly after a reasonable period of time (say, about a week or two), then delete the files in quarantine permanently.

The file identified by the Anti Virus S/W as containing malware is moved to a folder that Windows would normally not look in .The file can also be renamed by the Anti Virus S/W preventing Windows from running the file, and making it obvious by it's name that the file is in quarantine.

Malware can return to the system from quarantine if :

The Malware is explicitly, manually restored by the user outside of the anti-malware software. This generally does not happen by accident .

The anti-malware software itself was accidentally instructed to do so - most have a "restore" function, and it's possible I suppose to trigger that by accident.

1

I agree with the rest of the posts saying that a malware is not dangerous if quarantined and if it stays in the quarantine.

But I'd like to add a qualifier - this is only true if the software works as intended.

Antivirus software, just like any other software out there, especially software that has loads of code to parse untrusted data is bound to have bugs in it somewhere. There have been plenty of cases of security vulnerabilties in the antivirus software itself, sometimes even creating infection vectors where they would otherwise not exist.

This makes me wonder - at some level the malware has to be "neutralized" before quarantined, perhaps by doing something to the data of the virus. The LZO bug has told us that subtle faults in algorithms can exist for a long time and be widely deployed.

Let's imagine for a moment that the recently discovered LZO bug could be triggered by compresion rather than decompression. (Which is not the case. But who knows what bugs lurk?) And let's further imagine that a hypothetical antivirus product uses LZO to compress the malware as a step in containing it.

Let's further imagine an adversary creating a piece of malware that is detected as malware (easy enough to do, just include the EICAR string in it) and when quarantined causes remote code execution in the context of the antivirus process!

I'm sure you can imagine many variations on this theme.

So, short answer, yes, malware is harmless once quarantined.

Long answer, it is possible to imagine circumstances where a security bug in the quarantining process itself in the malware would cause a piece of malware to be able to infect your computer specifically through the quarantining feature. But I've never heard of this happening.