[File] [PATCH] of Magdir/fsav for Avira AntiVir quarantined (*.qua)

Jörg Jenderek joerg.jen.der.ek at gmx.net
Mon Nov 26 22:40:07 UTC 2018


some day ago i run a treemap utility on my disks to look for disk space
"eating" files. Finally i find Giga bytes examples with file name
extension "qua". Such examples are described by the file command
version 5.35 only as "data".

The File Identifier TrID ( see http://mark0.net/soft-trid-e.html ) on
the other hand describes such examples as "Avira AntiVir quarantined".

With verbose option -v this software show URL with information about
software firm producing such examples

Avira produce malware protection software with names like "AntiVirus".
Depending on used configuration this software removes files with
"malware" and stores file content together with some meta information
inside directory %ProgramData%\Avira\Antivirus\INFECTED on Windows OS as
file with name extension "qua".

Because malware stuff for file command is handled by Magdir/fsav i
started to add magic lines there. First i used magic found in trid
database ( qua-antivir.trid.xml inside triddefs_xml.7z). This is now
expressed by line
 0	string		AntiVir\ Qua	Avira AntiVir quarantined
Afterwards name extension and user defined mime type is now displayed by
 !:mime	application/x-avira-qua
 !:ext	qua

I have tested magic lines for examples produced with software version
version at November 2019. I was so frustrated with the new
Windows 10 alike GUI of avira showing the quarantine directory, because
the Windows is fixed sized and no sorting by file size is available.
So i myself look for more fields to extract from qua file by looking for
known virus like "eicar.com" of type "Eicar-Test-Signature" and
comparing with output of antivir.
The originally file named is stored as UTF-16 at different positions,
depending if original content is considered as malware or only as
suspicious. This is done by lines like
 >156	string		SUSPICIOUS_FILE
 >>220	lestring16	x		%s
 >156	string		!SUSPICIOUS_FILE
 >>228	lestring16	x		%s
If content is not only suspicious but a malware then the virus type like
"Eicar-Test-Signatur" is stored at that position. That is is displayed
at the end by lines:
 >156	string		!SUSPICIOUS_FILE
 >>156	string		x		\b, category "%s"
Furthermore the date is shown by line
 >60	ldate		x		at %s

After applying the above mentioned modifications by patch
file-5.35-fsav.diff then all such quratained examples are
described by Magdir/fsav like:

0a477671.qua: Avira AntiVir quarantined V:\eicas.com
	at Mon Nov 12 03:39:45 2018, category "Eicar-Test-Signature"
134e1dc0.qua: Avira AntiVir quarantined V:\eicar.com
	at Mon Nov 12 03:19:24 2018, category "Eicar-Test-Signature"
774b6572.qua: Avira AntiVir quarantined V:\TEMP\foobar.dll
	at Tue Sep 06 13:27:15 2016

I hope my diff file can be applied in future version of
file utility.

With best wishes
Jörg Jenderek
Jörg Jenderek

-------------- next part --------------
--- file-5.35/magic/Magdir/fsav.old	2018-07-16 13:30:41 +0000
+++ file-5.35/magic/Magdir/fsav	2018-11-26 22:33:03 +0000
@@ -68 +68,22 @@
 >33	string	-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*	EICAR virus test files
+# From: Joerg Jenderek
+# URL: http://www.avira.com/
+# Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows)
+# tested with version at November 2019
+0	string		AntiVir\ Qua	Avira AntiVir quarantined
+!:mime	application/x-avira-qua
+#!:mime	application/octet-stream
+!:ext	qua
+>156	string		SUSPICIOUS_FILE
+# file path of suspicious file
+>>220	lestring16	x		%s
+>156	string		!SUSPICIOUS_FILE
+# file path of virus file
+>>228	lestring16	x		%s
+# quarantined date
+>60	ldate		x		at %s
+# virus/danger name
+>156	string		!SUSPICIOUS_FILE
+>>156	string		x		\b, category "%s"

More information about the File mailing list