Quarantine function query

Dhruv2193

Dhruv2193

Level 10
Thread author
Verified
Well-known
Forum Veteran
Nov 7, 2016
468
1,896
868
India
Have you ever come across security software that does not ask what is to be done with quarantined files while uninstalling? What happens to these files in case of software not asking for action while removal of software?
 
  • Like
Reactions: Protomartyr, RoboMan and harlan4096
EndangeredPootis said:
Quarantined objects have been completely disabled by the AV, even if the quarantine folder is not deleted there is 0% chance malware can escape.
Click to expand...
But why does this happen as after removal, won't the restrictions placed by the antivirus be removed?
 
Dhruv2193 said:
But why does this happen as after removal, won't the restrictions placed by the antivirus be removed?
Click to expand...
Quarantined files are usually encrypted, stored in a hidden folder and don't have an exe extension. Even if this was not the case and the files were stored without being encrypted and still had the .exe extension, they would be harmless unless you actually opened the quarantine folder and manually opened some of the files.
 
  • Like
Reactions: Protomartyr, blackice, upnorth and 4 others
Dhruv2193 said:
But why does this happen as after removal, won't the restrictions placed by the antivirus be removed?
Click to expand...
I think you're thinking of quarantine as a malware jail, but it's not.

Once a file is detected as malicious and "moved to quarantine", what really happens is that the antivirus deletes the file from its original location and then modifies it (call it permissions, strings) in order for it NOT to be able to run as a program/executable. This modified file is moved to a hidden folder aforementioned by @roger_m that nobody can access. If you then choose to empty quarantine, this folder and its content is deleted for good.

If upon uninstall an antivirus doesn't let you choose what to do with quarantine objects (usually it should), then probably this folder will remain hidden full of modified, harmless objects.
 
  • Like
Reactions: roger_m, Protomartyr, Divine_Barakah and 2 others
roger_m said:
Quarantined files are usually encrypted, stored in a hidden folder and don't have an exe extension. Even if this was not the case and the files were stored without being encrypted and still had the .exe extension, they would be harmless unless you actually opened the quarantine folder and manually opened some of the files.
Click to expand...
Thanks. Solved my query. But as Robbie mentioned that the files cannot be run as a program/executable, so will manuallu opening do anything malicious to the system?
 
  • Like
Reactions: roger_m
Dhruv2193 said:
Thanks. Solved my query. But as Robbie mentioned that the files cannot be run as a program/executable, so will manuallu opening do anything malicious to the system?
Click to expand...
You can't manually execute them, they're modified not to. Plus they're hidden so you can't see them :)
 
  • Like
Reactions: roger_m, Protomartyr, harlan4096 and 1 other person
Dhruv2193 said:
So it is practically impossible for us and other people to execute it by any way/tool?
Click to expand...
Correct, that's the purpose of quarantine. Isolating malware in a way nobody, not hackers not even you can make them work (unless you restore it).
 
  • Like
Reactions: roger_m, Protomartyr, harlan4096 and 1 other person

You may also like...