Endpoint Protection

 View Only

  • 1.  Need Info about structure of Symantec Quarantine Files (*.vbn)

    Posted Oct 28, 2010 09:45 AM

    Hi all,

    I am working on an incident where th suspect might have used some sort of trojan.

    For whatever reason the quarantine folder was touched. If I try to extract the suspicious file out of the quarantine archive with QEXTRACT I only get error messages.

    I started to analyze the vbn-files and was able to decrypt the XOR.
    However I can not see where the quarantined file itself starts inside the vbn-data.

    I would REALLY appreciate if someone could give me a hint, if there is an offset stored to the file-data and where to find it

     

    Thanks in advance!

    regards

    Marc



  • 2.  RE: Need Info about structure of Symantec Quarantine Files (*.vbn)

    Posted Oct 28, 2010 09:49 AM

     

    Navigate to the Quarantine folder
     
    SEP:
    <OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine 
     
    SAV:
    <OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
     
    For every  .VBN file in this Quarantine folder there should be another folder with the same name as the .VBN file. Example: If there is a file named ABCD1234.VBN in the Quarantine folder, there should also be a folder named ABCD1234 in the Quarantine folder.
    Navigate to that folder.
     
    In this folder are the .VBN files that need to be submitted. Copy the desired .VBN file to the desktop for easy access.   
     
    Open a web browser and visit the appropriate URL as provided by support.
    Upload the file(s) as directed by the web page.
     
     
    There may be multiple .VBN files located in the Quarantine file.  
    These files are encrypted but if they are opened in a text editor (such as notepad.exe) the original file name can be read at the top.  
     
    If there are multiple .VBN files present and you're unsure of which file(s) to submit, we recommend that you open the SEP/SAV interface, access Quarantine and remove everything except for the file(s) you want to submit.
     
    These files are encrypted by Symantec in such a way that we can decrypt them for inspection.  While they do potentially contain an infection, due to the proprietary encryption used, there is no danger of infection from these specific files while moving them.


  • 3.  RE: Need Info about structure of Symantec Quarantine Files (*.vbn)

    Posted Oct 28, 2010 09:52 AM

    to extract the file

    you can use the sep interface

    click on quarentine; you will see the list of files which are quarantined

    you can restore the file ,,,,

    is that why u r looking for ?



  • 4.  RE: Need Info about structure of Symantec Quarantine Files (*.vbn)

    Posted Oct 29, 2010 02:41 AM

    thanks for your replies...

     

    as I mentioned, the quarantine-folder seems to be corrupted (either by the suspect or an admin...).

    There are only the {session-id}-folders, the {session-id}.vbn-files are missing.

    Thus I can not recover the quarantined files neither with SEP nor QEXTRACT.

     

    Due to internal regulations I can NOT just submit the vbn-files to Symantec for extraction.

    For forensic reasons I have to show that the vbn-contents are the files we're looking for.

     

    Sorry for Symantec, but I already was able to "decrypt" the vbn-file contents with some test-viruses.

    But I can't see where exactly the encrypted virus-file is stored in the vbn-file - it seems to change every time...

    thats why I am asking for some insider-information regarding the vbn-file structure.

    (if needed, it can be sent to my official email-account, additionally I assure non-disclosure!!)

     

    best regards

    Marc