What happens when Windows Defender Quarantines Stuff...
Recently a colleague of mine asked me what happens in the file system when a malicious file is "quarantined".
The answer varies widely and as this is the "secret sauce" for many antivirus vendors, most of the time it is not overly documented how they do the voodoo they do. Seems like something that might make for a good blog or two so I sat down and did a few tests.
This post is going to cover what happened on my Windows 8 VM when I turned Windows Defender against a vicious EICAR.TXT file!
Windows Defender is a software product that attempts to detect and remove malware. Initially released as an antispyware program, it was first released as a free download for Windows XP, shipped with Windows Vista by default, and currently ships with antivirus capabilities as part of Windows 10. --Wikipedia
I chose to beat up on Windows Defender mostly because it is free and has a huge market share. Nothing personal.
So first things first: I grabbed the EICAR file and saved it to C:\temp.
Then I grabbed a copy of the $MFT to take a look at the this file's record. Looks like this:
There is a lot going on in there but I just wanted to focus on a few things. If you are lost, read this.
NEXT, I turned on Windows Defender real-time protection. It was recommended.
Then a whole bunch of stuff happened.
Let's start with $MFT record number 27152. So I quickly dumped the $MFT again and here's what I got:
So what changed? Pretty much everything accept the $MFT record number.
The sequence number is increment by 4, indicating that there were numerous changes to the file. Specifically the rename and move to a new parent folder.
Lets take a closer look at the USNJrnl-$J to get an idea what happened:
So in short Windows Defender deleted the original file. The MFT record number was up for grabs so it was picked up by a newly created file C:\ProgramData\Microsoft\Windows Defender\Scans\History\RemCheck\5A7D7B64F11FF203E09434276A974A97
So where did my EICAR file go? Windows Defender puts quarantined files C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\. Mine was saved C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\50\50761523FA79FDF68E04707959836D1F6DBA9969.
Let's take a look at that:
For those that don't know, Windows Defender and Microsoft Security Essentials Quarantine files have a magic number of 0B AD 00. Clever.
Looking at the histogram of the data, it is pretty obvious that it was stored using some kind of encryption.
After doing a bit more digging, it turns out that Windows Defender uses a hard coded RC4 key to encrypt quarantine files.
A colleague of my pointed me at the this cool script from Cuckoo
Here is the relevant chuck of their code that I bastardized for this blog post:
The RC4 cipher can be found twice in each of these files:
Looks like this:
I might dig a little deeper on this but this is all for now. Hope this helps.