Windows VBN File Record Type 0 Format

VBN file format V1 (Windows - SEP 11)

VBN file format V2 (Windows - SEP 12 +)

VBN Metadata Offset Length Field Description 0 4 Size Size of the VBN Metadata section, 0xe5c 4 384 Description FQP of Quarantine File 388 984 Log Line Information on event. 1372 4 Data Type Value which can describe the subsequent data. (0x1 = No dates, 0x2 = Dates) 1376 4 Record ID VBin ID/VBN Name 1380 8 Date Created Indicates a time of creation of object on the file system. (Windows Filetime) 1388 8 Date Accessed Indicates a time of last access of an object. (Windows Filetime) 1396 8 Date Modified Indicates a time of last modification of content. (Windows Filetime) 1404 4 Data Type Value which can describe the subsequent data. (0x0 = No storage info, 0x2 = Storage info 1408 484 Unknown Will require further investigation as to the purpose of this entry. 1892 48 Storage Name Where threat was found (FileSystem/InternetMail/LotusNotes/MicrosoftExchange) 1940 4 Storage Instance ID Will require further investigation as to the purpose of this entry. 1944 384 Storage Key Will require further investigation as to the purpose of this entry. 2328 4 Data Type Value which can describe the subsequent data. 2332 4 Unknown Will require further investigation as to the purpose of this entry. 2336 8 Unknown Will require further investigation as to the purpose of this entry. 2344 4 Data Type Value which can describe the subsequent data. 2348 4 Quarantine Data Size Size of Quarantined Data (bytes) 2352 4 Date Accessed Indicates a time of last access of an object. (Unix: 32 bit Hex) 2356 4 Date Modified Indicates a time of last modification of content. (Unix: 32 bit Hex) 2360 4 Date Created Indicates a time of creation of object on the file system. (Unix: 32 bit Hex) 2364 4 VBin Time Time data was quarantined. (Unix: 32 bit Hex) 2368 8 Unknown Will require further investigation as to the purpose of this entry. 2376 16 Unique ID Unique GUID 2392 260 Unknown Will require further investigation as to the purpose of this entry. 2652 4 Unknown Will require further investigation as to the purpose of this entry. 2656 4 Record Type 0x0 = Hybrid, 0x1 = Meta, 0x2 = Quarantine 2660 4 Quarantine Session ID Name of subfolder where VBN is stored 2664 4 Remediation Type Type of remediation 0 None 2000 Registry 2001 File 2002 Process 2003 Batch File 2004 INI File 2005 Service 2006 Infected File 2007 COM Object 2008 Host File Entry 2009 Directory 2010 Layered Service Provider 2011 Internet Browser Cache 2668 4 Unknown Will require further investigation as to the purpose of this entry. 2672 4 Unknown Will require further investigation as to the purpose of this entry. 2676 4 Unknown Will require further investigation as to the purpose of this entry. 2680 4 Unknown Will require further investigation as to the purpose of this entry. 2684 4 Unknown Will require further investigation as to the purpose of this entry. 2688 4 Unknown Will require further investigation as to the purpose of this entry. 2692 4 Unknown Will require further investigation as to the purpose of this entry. 2696 768 Wide Description FQP of Quarantine File (Unicode) 3464 212 Unknown Will require further investigation as to the purpose of this entry.

VBN Metadata Offset Length Field Description 0 4 Size Size of the VBN Metadata section, 0x1290 4 384 Description FQP of Quarantine File 388 2048 Log Line Information on event. 2436 4 Data Type Value which can describe the subsequent data. (0x1 = No dates, 0x2 = Dates) 2440 4 Record ID VBin ID/VBN Name 2444 8 Date Created Indicates a time of creation of object on the file system. (Windows Filetime) 2452 8 Date Accessed Indicates a time of last access of an object. (Windows Filetime) 2460 8 Date Modified Indicates a time of last modification of content. (Windows Filetime) 2468 4 Data Type Value which can describe the subsequent data. (0x0 = No storage info, 0x2 = Storage info 2472 484 Unknown Will require further investigation as to the purpose of this entry. 2956 48 Storage Name Where threat was found (FileSystem/InternetMail/LotusNotes/MicrosoftExchange) 3004 4 Storage Instance ID Will require further investigation as to the purpose of this entry. 3008 384 Storage Key Will require further investigation as to the purpose of this entry. 3392 4 Data Type Value which can describe the subsequent data. 3396 4 Unknown Will require further investigation as to the purpose of this entry. 3400 8 Unknown Will require further investigation as to the purpose of this entry. 3408 4 Data Type Value which can describe the subsequent data. 3412 4 Quarantine Data Size Size of Quarantined Data (bytes) 3416 4 Date Accessed Indicates a time of last access of an object. (Unix: 32 bit Hex) 3420 4 Unknown Will require further investigation as to the purpose of this entry. 3424 4 Date Modified Indicates a time of last modification of content. (Unix: 32 bit Hex) 3428 4 Unknown Will require further investigation as to the purpose of this entry. 3432 4 Date Created Indicates a time of creation of object on the file system. (Unix: 32 bit Hex) 3436 4 Unknown Will require further investigation as to the purpose of this entry. 3440 4 VBin Time Time data was quarantined. (Unix: 32 bit Hex) 3444 4 Unknown Will require further investigation as to the purpose of this entry. 3448 4 Unknown Will require further investigation as to the purpose of this entry. 3452 16 Unique ID Unique GUID 3468 260 Unknown Will require further investigation as to the purpose of this entry. 3728 4 Unknown Will require further investigation as to the purpose of this entry. 3732 4 Record Type 0x0 = Hybrid, 0x1 = Meta, 0x2 = Quarantine 3736 4 Quarantine Session ID Name of subfolder where VBN is stored 3740 4 Remediation Type Type of remediation 0 None 2000 Registry 2001 File 2002 Process 2003 Batch File 2004 INI File 2005 Service 2006 Infected File 2007 COM Object 2008 Host File Entry 2009 Directory 2010 Layered Service Provider 2011 Internet Browser Cache 3744 4 Unknown Will require further investigation as to the purpose of this entry. 3748 4 Unknown Will require further investigation as to the purpose of this entry. 3752 4 Unknown Will require further investigation as to the purpose of this entry. 3756 4 Unknown Will require further investigation as to the purpose of this entry. 3760 4 Unknown Will require further investigation as to the purpose of this entry. 3764 4 Unknown Will require further investigation as to the purpose of this entry. 3768 4 Unknown Will require further investigation as to the purpose of this entry. 3772 768 Wide Description FQP of Quarantine File (Unicode) 4540 212 Unknown Will require further investigation as to the purpose of this entry.

Record Type 0 The following sections are XORed with 0x5A.

QData Location (Optional) Offset Length Field Description 0 8 Header QData location header, 00000006aaaa20ce 8 8 Quarantine Data Offset Offset to start of quarantine data 16 8 QData Location Size Size of QData Location 24 4 QData Info Size Size of QData Info from end of quarantine data to EOF 28 Data Offset - 28 Unknown Will require further investigation as to the purpose of this entry. Quarantine Data Offset Length Field Description 0 Varies Data Quarantine data QData Info (Optional) Offset Length Field Description 0 8 Header QData info header 8 8 QData Info Size Size of QData info 16 QData Info Size - 16 QData Additional information about the quarantine data