Tuesday, March 16, 2021

Your AV is Trying to Tell You Something: VBN's Part 4

In this post, we will cover record type 1 VBN's. This will be fairly short because there is not much to these types of VBN's. They contain one structure that is not XORed after the VBN Metadata. This is the Quarantine Metadata structure. It contains the same kind of data as in record type 2's Quarantine Metadata, minus the header information.

new 1

Record Type 1

Quarantine Metadata

The quarantine metadata appears to be in ASN.1 format. It is comprised of a series of tags.

Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None

No comments:

Post a Comment