Anti-virus software (AV software) is a type of computer software that tries to identify malicious software and to prevent it from running. Since anti-virus software may wrongfully identify harmless files as malicious (false positives), AV software makes use of quarantining files. If a file is put into quarantine by an AV software, the AV software removes the original suspected malicious file and stores a modified obfuscated version in another location.
In this paper, the quarantine files of different AV software solutions were analyzed. The encryption and obfuscation methods were documented (including encryption keys) and parsers created using Kaitai Struct.
Get the latest news about technical topics within the IT-Security Community and a lot of special insights. Sign up now for our Newsletter at ernw.de:
There is a growing landscape of security products promising to protect an organization’s IT infrastructure from attacks. Solutions referred to as EDR, and sometimes also as XDR, are designed to protect endpoints from all malicious activity. The ever-increasing cases of breaches and the associated costs, especially in the realm of ransomware attacks, raise the question […]
During a customer project, we identified privilege escalation vulnerabilities in Broadcom VMware Aria Operations. It is possible to escalate the privileges of an administrative vCenter user to an Aria administrator and take over systems integrated in Aria. Meaning, the vCenter user can gain privileged access to systems they have no access to. While both users […]
This blog post describes the journey of how we discovered an interesting Bluetooth SoC within the Datong NP330, a Printer Server IoT device. Our initial goal was to reverse-engineer and analyze the Bluetooth controller that is included in the device. So we wanted to be able to dump the firmware or, if possible, get shell […]
AI agents are here, there, and everywhere. Smarter, faster, and more skilled, they gain greater autonomy and trust. We trust their capabilities to do many tasks much faster and sometimes better than we can. We trust them as they usually demonstrate their eagerness to please us and fulfill our commands. Isn’t that too good to […]
During a customer project we identified an issue with the validation of JWT tokens that allowed us to bypass the authentication by using unsigned tokens with arbitrary payloads. During analysis we found out that this is caused by a vulnerability within the library OpenID Connect Authenticator for Tomcat.