Symantec VBN (quarantine) files have been rather troublesome for most people. I've read what articles I could find and looked at various tools on the subject but at some point, they all failed. There had to be something everyone was missing. And there was! As a community, we figured out that there were two types of VBN files. Depending on where they were in the folder structure determined whether they contained the quarantined file, or so we thought.
Shane King had shared his research into VBN's which laid the groundwork for the majority of my research. His methodology into extracting the quarantined content worked majority of the time, but not always. I was looking though Symantec's quarantine location one day and noticed some rather large VBN's in the location where they should only contain metadata and not quarantined content. When I XORed the data, I soon realized these larger files too contained quarantined content. A third VBN type!
 |
| Quarantine folder structure |
Focusing back on the first structure in the VBN, they all looked the same. There had to be something in this structure that indicated what type of VBN we are dealing with. Back to Shane's work, there were a lot of unknowns in this structure. Looking through the unknown parts of the structure, I was able to figure out what the timestamps meant and various other things, but no indication on what would come next after this structure. It wasn't until I started playing around with Symantec's Qextract tool that I found my answer.
Qextract gives detailed output of the VBN files in the quarantine folder. By looking through this output, I was able to find the majority of the locations in the VBN file where Qextract was getting its information from. There was one part of the output that stood out to me, Record Type. With this information, it confirmed my hypotheses that there were three different types of VBN.
VBN file format V1 (Windows - SEP 11)
VBN Metadata
| Offset | Length | Field | Description |
|---|---|---|---|
| 0 | 4 | Size | Size of the VBN Metadata section, 0xe5c |
| 4 | 384 | Description | FQP of Quarantine File |
| 388 | 984 | Log Line | Information on event. |
| 1372 | 4 | Data Type | Value which can describe the subsequent data. (0x1 = No dates, 0x2 = Dates) |
| 1376 | 4 | Record ID | VBin ID/VBN Name |
| 1380 | 8 | Date Created | Indicates a time of creation of object on the file system. (Windows Filetime) |
| 1388 | 8 | Date Accessed | Indicates a time of last access of an object. (Windows Filetime) |
| 1396 | 8 | Date Modified | Indicates a time of last modification of content. (Windows Filetime) |
| 1404 | 4 | Data Type | Value which can describe the subsequent data. (0x0 = No storage info, 0x2 = Storage info) |
| 1408 | 484 | Unknown | Will require further investigation as to the purpose of this entry. |
| 1892 | 48 | Storage Name | Where threat was found (FileSystem/InternetMail/LotusNotes/MicrosoftExchange) |
| 1940 | 4 | Storage Instance ID | Will require further investigation as to the purpose of this entry. |
| 1944 | 384 | Storage Key | Will require further investigation as to the purpose of this entry. |
| 2328 | 4 | Data Type | Value which can describe the subsequent data. |
| 2332 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2336 | 8 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2344 | 4 | Data Type | Value which can describe the subsequent data. |
| 2348 | 4 | Quarantine Data Size | Size of Quarantined Data (bytes) |
| 2352 | 4 | Date Accessed | Indicates a time of last access of an object. (Unix: 32 bit Hex) |
| 2356 | 4 | Date Modified | Indicates a time of last modification of content. (Unix: 32 bit Hex) |
| 2360 | 4 | Date Created | Indicates a time of creation of object on the file system. (Unix: 32 bit Hex) |
| 2364 | 4 | VBin Time | Time data was quarantined. (Unix: 32 bit Hex) |
| 2368 | 8 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2376 | 16 | Unique ID | Unique GUID |
| 2392 | 260 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2652 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2656 | 4 | Record Type | 0x0 = Hybrid, 0x1 = Meta, 0x2 = Quarantine |
| 2660 | 4 | Quarantine Session ID | Name of subfolder where VBN is stored |
| 2664 | 4 | Remediation Type | Type of remediation 0 None 2000 Registry 2001 File 2002 Process 2003 Batch File 2004 INI File 2005 Service 2006 Infected File 2007 COM Object 2008 Host File Entry 2009 Directory 2010 Layered Service Provider 2011 Internet Browser Cache |
| 2668 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2672 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2676 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2680 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2684 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2688 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2692 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2696 | 768 | Wide Description | FQP of Quarantine File (Unicode) |
| 3464 | 212 | Unknown | Will require further investigation as to the purpose of this entry. |
VBN file format V2 (Windows - SEP 12 +)
VBN Metadata
| Offset | Length | Field | Description |
|---|---|---|---|
| 0 | 4 | Size | Size of the VBN Metadata section, 0x1290 |
| 4 | 384 | Description | FQP of Quarantine File |
| 388 | 2048 | Log Line | Information on event. |
| 2436 | 4 | Data Type | Value which can describe the subsequent data. (0x1 = No dates, 0x2 = Dates) |
| 2440 | 4 | Record ID | VBin ID/VBN Name |
| 2444 | 8 | Date Created | Indicates a time of creation of object on the file system. (Windows Filetime) |
| 2452 | 8 | Date Accessed | Indicates a time of last access of an object. (Windows Filetime) |
| 2460 | 8 | Date Modified | Indicates a time of last modification of content. (Windows Filetime) |
| 2468 | 4 | Data Type | Value which can describe the subsequent data. (0x0 = No storage info, 0x2 = Storage info) |
| 2472 | 484 | Unknown | Will require further investigation as to the purpose of this entry. |
| 2956 | 48 | Storage Name | Where threat was found (FileSystem/InternetMail/LotusNotes/MicrosoftExchange) |
| 3004 | 4 | Storage Instance ID | Will require further investigation as to the purpose of this entry. |
| 3008 | 384 | Storage Key | Will require further investigation as to the purpose of this entry. |
| 3392 | 4 | Data Type | Value which can describe the subsequent data. |
| 3396 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3400 | 8 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3408 | 4 | Data Type | Value which can describe the subsequent data. |
| 3412 | 4 | Quarantine Data Size | Size of Quarantined Data (bytes) |
| 3416 | 4 | Date Accessed | Indicates a time of last access of an object. (Unix: 32 bit Hex) |
| 3420 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3424 | 4 | Date Modified | Indicates a time of last modification of content. (Unix: 32 bit Hex) |
| 3428 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3432 | 4 | Date Created | Indicates a time of creation of object on the file system. (Unix: 32 bit Hex) |
| 3436 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3440 | 4 | VBin Time | Time data was quarantined. (Unix: 32 bit Hex) |
| 3444 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3448 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3452 | 16 | Unique ID | Unique GUID |
| 3468 | 260 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3728 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3732 | 4 | Record Type | 0x0 = Hybrid, 0x1 = Meta, 0x2 = Quarantine |
| 3736 | 4 | Quarantine Session ID | Name of subfolder where VBN is stored |
| 3740 | 4 | Remediation Type | Type of remediation 0 None 2000 Registry 2001 File 2002 Process 2003 Batch File 2004 INI File 2005 Service 2006 Infected File 2007 COM Object 2008 Host File Entry 2009 Directory 2010 Layered Service Provider 2011 Internet Browser Cache |
| 3744 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3748 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3752 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3756 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3760 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3764 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3768 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 3772 | 768 | Wide Description | FQP of Quarantine File (Unicode) |
| 4540 | 212 | Unknown | Will require further investigation as to the purpose of this entry. |
No comments:
Post a Comment