[AI] What happens when my anti-malware tool quarantines something?

Waseem mohammadwaseemk at gmail.com
Wed Aug 25 17:03:10 EDT 2010

Dear all,
Whenever I think about the term
 my anti-malware tool quarantines something.
Immediately several questions come to my mind.

So, I have tried to solve some of these.

How does the Quarantine function by an anti-malware software works? Specifically, when a malware is placed in quarantine, how is that malware rendered impotent? Is the quarantine escape-proof? Other than an accidental restoration by the user, is there any risk to leaving a malware in quarantine indefinitely? Can a malware be released back into the PC system if the anti-malware software somehow malfunctions? Bottom line, should we delete a malware from quarantine as soon as we are sure it's not a false positive?


Even though "quarantine" is a common term among anti-malware tools, there's actually not a consistent definition of exactly what it means. As a result, I can't tell you specifically what your tool - or any tool for that matter - does when it places something in quarantine.

However, knowing a little about how malware works, and a lot about how Windows works, I can certainly cover the concepts that probably apply in most cases.

Malware being quarantined in all likelihood means this: 

The file identified as containing malware is moved to a folder that Windows would normally not look in - it's one of the standard places that Windows might look for programs to run, and it's not referenced by other software on the machine.

  a.. The file is renamed. Much malware relies on the filename being similar to existing Windows files, and/or being a file type - such as ".exe" - that Windows would normally run as a program. Renaming the file removes both of those possibilities, preventing Windows from running the file, and making it obvious by it's name that the file is in quarantine.
  b.. The file may also be marked as "hidden", or (if on a file system that supports it) the permissions on it may be reset such that the file cannot be opened by normal system processes.
  c.. An especially sophisticated quarantine could also encrypt or encode the file so that even if it were somehow accessed it would remain meaningless.
By and large just moving the file is sufficient to remove the potential for harm. The additional steps are just that - additional steps that further ensure that the file will not be accidentally allowed to re-infect.

"By and large just moving the file)is sufficient to remove the potential for harm."

Malware Returning from the Grave
The only way I could see malware returning from quarantine would be:

  a.. You explicitly, manually restored it outside of the anti-malware software. This isn't typically easy - you'll have meant to do this for some reason.
  b.. The anti-malware software itself was accidentally instructed to do so - most have a "restore" function, and it's possible I suppose to trigger that by accident.
I'm not aware of any malicious way that malware would return from the grave, other than simply getting infected again by whatever means your machine became infected in the first place.

As a result, I don't see a pressing need to delete malware from quarantine; it's just not likely to come back from there.

But then again I also don't see a reason not to. Once you have determined that the file is infected malware and not a false positive why would you want to leave the file on your machine? There's really no point, so in practice I would do just that - delete the files from quarantine after I'm sure that it's safe to do so.

In the end:

Anti-malware tools, on identifying malicious software, will "quarantine" it. I'll look at what that means, and if there's any residual threat.


More information about the AccessIndia mailing list