[File] [PATCH] of Magdir/fsav for Avira AntiVir quarantined (*.qua)
christos at zoulas.com
Tue Nov 27 20:12:56 UTC 2018
On Nov 26, 11:40pm, joerg.jen.der.ek at gmx.net (=?UTF-8?Q?J=c3=b6rg_Jenderek?=) wrote:
-- Subject: [File] [PATCH] of Magdir/fsav for Avira AntiVir quarantined (*.qu
| some day ago i run a treemap utility on my disks to look for disk space
| "eating" files. Finally i find Giga bytes examples with file name
| extension "qua". Such examples are described by the file command
| version 5.35 only as "data".
| The File Identifier TrID ( see http://mark0.net/soft-trid-e.html ) on
| the other hand describes such examples as "Avira AntiVir quarantined".
| With verbose option -v this software show URL with information about
| software firm producing such examples
| Avira produce malware protection software with names like "AntiVirus".
| Depending on used configuration this software removes files with
| "malware" and stores file content together with some meta information
| inside directory %ProgramData%\Avira\Antivirus\INFECTED on Windows OS as
| file with name extension "qua".
| Because malware stuff for file command is handled by Magdir/fsav i
| started to add magic lines there. First i used magic found in trid
| database ( qua-antivir.trid.xml inside triddefs_xml.7z). This is now
| expressed by line
| 0 string AntiVir\ Qua Avira AntiVir quarantined
| Afterwards name extension and user defined mime type is now displayed by
| !:mime application/x-avira-qua
| !:ext qua
| I have tested magic lines for examples produced with software version
| version 126.96.36.199 at November 2019. I was so frustrated with the new
| Windows 10 alike GUI of avira showing the quarantine directory, because
| the Windows is fixed sized and no sorting by file size is available.
| So i myself look for more fields to extract from qua file by looking for
| known virus like "eicar.com" of type "Eicar-Test-Signature" and
| comparing with output of antivir.
| The originally file named is stored as UTF-16 at different positions,
| depending if original content is considered as malware or only as
| suspicious. This is done by lines like
| >156 string SUSPICIOUS_FILE
| >>220 lestring16 x %s
| >156 string !SUSPICIOUS_FILE
| >>228 lestring16 x %s
| If content is not only suspicious but a malware then the virus type like
| "Eicar-Test-Signatur" is stored at that position. That is is displayed
| at the end by lines:
| >156 string !SUSPICIOUS_FILE
| >>156 string x \b, category "%s"
| Furthermore the date is shown by line
| >60 ldate x at %s
| After applying the above mentioned modifications by patch
| file-5.35-fsav.diff then all such quratained examples are
| described by Magdir/fsav like:
| 0a477671.qua: Avira AntiVir quarantined V:\eicas.com
| at Mon Nov 12 03:39:45 2018, category "Eicar-Test-Signature"
| 134e1dc0.qua: Avira AntiVir quarantined V:\eicar.com
| at Mon Nov 12 03:19:24 2018, category "Eicar-Test-Signature"
| 774b6572.qua: Avira AntiVir quarantined V:\TEMP\foobar.dll
| at Tue Sep 06 13:27:15 2016
| I hope my diff file can be applied in future version of
| file utility.
More information about the File