Author Topic: variant for Avira AntiVir quarantined  (Read 783 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
variant for Avira AntiVir quarantined
« on: January 03, 2023, 11:03:25 PM »
Hello trid users,

Some days ago i run out of disk space on a system. So i looked for
some large unneeded files. Some have the extension QUA like
(c60d47870.qua 9247bec4.qua c03bbabc.qua ed2f71c6.qua).

These samples are normally found inside "c:\ProgramData\Avira\Endpoint
Protection SDK\quarantine" directory. These are "generated" by Avira
AntiVir. So when AntiVir is running and find a suspicious file it
moves this to the quarantine folder.  Then it typically packs the
suspicious file with some meta data in a file with suffix QUA.

When i run trid utility on such QUA examples most are described as
"Avira AntiVir quarantined" by qua-antivir.trid.xml. But a few samples
(28 of 702) are described as Unknown!. The recognized samples
apparently consist of a header starting with phrase "AntiVir Qua"
followed by packed/encrypted suspicious sample code. The non described
samples have a different file structure (See appended
output/trid-v-old.txt).

For comparison reason i also run file command (newest version 5.44) on
such samples. Here the recognized samples are described as "Avira
AntiVir quarantined" with details like original file name, date and
category (See appended output/file-ext-5.44.txt). Here a mime type of
application/x-avira-qua is shown (See appended
output/file-i-5.44.txt).

For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/). Here no
samples are recognized.

Unfortunately i found no page about the file format and especially
from Avira. Luckily a little bit of information is found on support
page with question Restore or delete quarantined files. This is
expressed by line like:
 <RefURL>
 https://support.avira.com/hc/en-us/articles/360003070838-Restore-or-delete-quarantined-files
 </RefURL>

So i run tridscan on such QUA samples to generate
qua-antivir-var.trid.xml.  Because in this variant another header is
used. So this is expressed inside front block by XML constructs like:
   <Pattern>
      <Bytes>7B22656E67696E65223A22382E332E36</Bytes>
      <ASCII> { " e n g i n e " : " 8 . 3 . 6</ASCII>
      <Pos>0</Pos>
   </Pattern>
   <Pattern>
      <Bytes>2E</Bytes>
      <Pos>17</Pos>
   </Pattern>
At the beginning also a kind of variable and value correlation is
stored. These variables are described inside global strings section by
lines like:
   <String>GROUPID</String>
   <String>MALWARE</String>
   <String>WINDOWS</String>
   <String>ENGINE</String>
   <String>SHA256</String>
   <String>PATH</String>
   <String>TYPE</String>

Then there are some kind of version stored. that is expressed by line
like:
   <String>8.3.6</String>
But i do not know if this always true. So i just keep it at the
moment.

With the new trid definition now also the Avira QUA variant examples
are now also recognized (see appended output/trid-v-news.txt). TrID
definitions and output are stored in archive QUArantine.zip. I hope
that my definition can be used in future version of triddefs .

With best wishes
Jörg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: variant for Avira AntiVir quarantined
« Reply #1 on: January 09, 2023, 12:08:13 AM »
Thanks!