Quarantine

if a virus/trojan has been detected by an AV and "quarantined" or "jailed" what does this mean? - it implies that it hasn't removed it from the system.

what has the AV done with it? - i.e the reg entries, the exec, the dll, other files associated with the virus. how does windows view all this?

if the AV is then uninstalled does this mean the virus/trojan is free to continue it's naughty work?

 

When an AV "quarantines" a nasty, it creates an encrypted copy of the file that is infected and stores it. This prevents the file from being activated again, but allows recovery if need be.

 

hi Capp - in Ad-Aware (spyware scanner) after it's finished scanning it offers to quarantine first then remove - this is 2 distinct steps - i always thought that quarantine meant that the AV had prevented the virus from affecting the system (put in prison but no capital punishment (deletion)) - are you saying that all quarantine does is take a backup?

 

You are right about the prison part. Quarantining encrypts the baddie so it can't be opened unless specified within the same program. Programs create the quarantine for recovery and analysis purposes. If you tell the program to delete it, it will create the quarantine and delete the offending file.

 

so what you are saying is an encrypted backup is taken and then the virus is deleted from the system in a seperate step? - but if i don't specify delete the virus is still active?

 

Here is the defintion from webopedia

it is encrypted so it cannot be accessed again while on your system. As Bigc said, it works a little different for different programs.

 

hi Capp sorry about this i find the whole subject totally confusing - yes i saw that definition but it made no sense because it didn't explain anything at all.
i guess i'm looking for an indepth definition that explains the whole mechanism so i know exactly what my AV has done. If i misunderstand what's happening i risk not effectively neutralising the virus

getting back to the webpedia definition - to move the trojan to a safe area means nothing to me - what is a safe area?

to me a safe area would be a floppy disk - therefore to quarantine would mean to move all entries in the system for that trojan to a floppy disk and then delete the trojan and all it's associated files and entries from the hard disk.

to me quarantine means delete from hard disk because nothing less would work - to take an encrypted backup of a file wouldn't work unless the original file is then deleted automatically after the backup.

if that's the case then there would be no need for a seperate delete step (but ad aware does have a seperate delete step??)

i think this is all in the semantics - what's confusing me is the webpedia statement "to move to a safe area" this is totally meaningless unless it's a floppy because nowhere on the harddisk is "safe" the only way a virus can be safe is if it's deleted.

ever wished you hadn't asked the question

 

if your security app encrypts the trojan it can not execute which makes the quarantine a safe place. Then you have the option of restoring it or deleting it.

 

but a trojan can consist of many files bigc - there could be a zip file, an exe file, dll file, registry entries, log files - settings could have been changed on the system, in the browser, other files could have been altered e.g HIPS could have changed to prevent access to AV websites) it could have injected itself into a legitimate program. so what is being encrypted here? there could be a rootkit dropper a keylogger etc etc - what i'm saying is that a trojan is not just one simple file that can be encrypted or deleted it's a whole long list of files and system changes. (i'm asuming in this case that he trojan is on the system and has been detected by a routine on-demand scan as happened to me a few days ago)

the webpedia definition says the trojan is moved to a safe area? it doesn't talk of encrypting the file. otherwise it would specifically mention encryption.

if the AV has encrypted the files asociated with a trojan it would either have to take a backup and then delete the original (otherwise the original is still functional) or somehow change the original on the fly??

don't worry i will sort this out in my head over time

 

i guess some of this is in the semantics?

to move a file - is to copy it to a new location and then delete the orginal, so there is till just one copy - whereas to copy a file - copies to a new location but does not delete the original so you now have two copies.

so presumably to encrypt a file is to "move" it - i.e turn the file into gobbledegook, copy it to a new location and then delete the original.

does that make sense?

 

If a scanner finds a malware file it will do two things (depending on how it is configured and what you instruct it to do!):-

1) It deletes the file or, preferably, wipes or erases the file. If a file is deleted it can usually be recovered by using special tools, whereas if it is wiped or erased it will be overwritten which makes recovery that much harder - a wiped file is a destroyed file.

2) It makes a copy of the file to a special 'quarantine' folder in a different location. The file will be neutralised by changing its extention (eg to .vir) or changing its name so that it cannot be executed.

Hopefully an AV scanner will intercept the file the moment it is written to HD before it is ever run. This will grab the trojan before it drops any other files or makes Registry changes. If the malware is being found retrospectively, ie by a demand scan after it has installed, then the scanner will hopefully be able to nab the key files but there is likely to be a lot of debris lying about the system and Registry. This is likely to be harmless in itself though (Registry 'traces' etc).

Just to confuse the issue, some AVs make a distinction between Quarantine and Backup. Backup is where they store neutered copies of deleted/wiped files, while Quarantine is where they store files that are 'equivocal' or need repairing/healing/disinfecting. The latter will be system files that have had malicious code inserted into them by a virus.

 

thanks for the clarification Topper