[File] [PATCH] of Magdir/fsav for Avira AntiVir quarantined (*.qua)

Christos Zoulas christos at zoulas.com
Tue Nov 27 20:12:56 UTC 2018 

On Nov 26, 11:40pm, joerg.jen.der.ek at gmx.net (=?UTF-8?Q?J=c3=b6rg_Jenderek?=) wrote:
-- Subject: [File] [PATCH] of Magdir/fsav for Avira AntiVir quarantined (*.qu

| Hello,
| 
| some day ago i run a treemap utility on my disks to look for disk space
| "eating" files. Finally i find Giga bytes examples with file name
| extension "qua". Such examples are described by the file command
| version 5.35 only as "data".
| 
| The File Identifier TrID ( see http://mark0.net/soft-trid-e.html ) on
| the other hand describes such examples as "Avira AntiVir quarantined".
| 
| With verbose option -v this software show URL with information about
| software firm producing such examples
| http://www.avira.com/
| 
| Avira produce malware protection software with names like "AntiVirus".
| Depending on used configuration this software removes files with
| "malware" and stores file content together with some meta information
| inside directory %ProgramData%\Avira\Antivirus\INFECTED on Windows OS as
| file with name extension "qua".
| 
| Because malware stuff for file command is handled by Magdir/fsav i
| started to add magic lines there. First i used magic found in trid
| database ( qua-antivir.trid.xml inside triddefs_xml.7z). This is now
| expressed by line
|  0	string		AntiVir\ Qua	Avira AntiVir quarantined
| Afterwards name extension and user defined mime type is now displayed by
| lines:
|  !:mime	application/x-avira-qua
|  !:ext	qua
| 
| I have tested magic lines for examples produced with software version
| version 15.0.43.23 at November 2019. I was so frustrated with the new
| Windows 10 alike GUI of avira showing the quarantine directory, because
| the Windows is fixed sized and no sorting by file size is available.
| So i myself look for more fields to extract from qua file by looking for
| known virus like "eicar.com" of type "Eicar-Test-Signature" and
| comparing with output of antivir.
| The originally file named is stored as UTF-16 at different positions,
| depending if original content is considered as malware or only as
| suspicious. This is done by lines like
|  >156	string		SUSPICIOUS_FILE
|  >>220	lestring16	x		%s
|  >156	string		!SUSPICIOUS_FILE
|  >>228	lestring16	x		%s
| If content is not only suspicious but a malware then the virus type like
| "Eicar-Test-Signatur" is stored at that position. That is is displayed
| at the end by lines:
|  >156	string		!SUSPICIOUS_FILE
|  >>156	string		x		\b, category "%s"
| Furthermore the date is shown by line
|  >60	ldate		x		at %s
| 
| After applying the above mentioned modifications by patch
| file-5.35-fsav.diff then all such quratained examples are
| described by Magdir/fsav like:
| 
| 0a477671.qua: Avira AntiVir quarantined V:\eicas.com
| 	at Mon Nov 12 03:39:45 2018, category "Eicar-Test-Signature"
| 134e1dc0.qua: Avira AntiVir quarantined V:\eicar.com
| 	at Mon Nov 12 03:19:24 2018, category "Eicar-Test-Signature"
| 774b6572.qua: Avira AntiVir quarantined V:\TEMP\foobar.dll
| 	at Tue Sep 06 13:27:15 2016
| 
| I hope my diff file can be applied in future version of
| file utility.

Applied, thanks!

christos

More information about the File mailing list