Helping people with computers... one answer at a time.

Anti-malware tools, on identifying malicious software, will "quarantine" it. I'll look at what that means, and if there's any residual threat.

How does the Quarantine function by an anti-malware software works? Specifically, when a malware is placed in quarantine, how is that malware rendered impotent? Is the quarantine escape-proof? Other than an accidental restoration by the user, is there any risk to leaving a malware in quarantine indefinitely? Can a malware be released back into the PC system if the anti-malware software somehow malfunctions? Bottom line, should we delete a malware from quarantine as soon as we are sure it's not a false positive?

Even though "quarantine" is a common term among anti-malware tools, there's actually not a consistent definition of exactly what it means. As a result, I can't tell you specifically what your tool - or any tool for that matter - does when it places something in quarantine.

However, knowing a little about how malware works, and a lot about how Windows works, I can certainly cover the concepts that probably apply in most cases.

Quarantine

Malware being quarantined in all likelihood means this:

P1010344
  • The file identified as containing malware is moved to a folder that Windows would normally not look in - it's not one of the standard places that Windows might look for programs to run, and it's not referenced by other software on the machine.

  • The file is renamed. Much malware relies on the filename being similar to existing Windows files, and/or being a file type - such as ".exe" - that Windows would normally run as a program. Renaming the file removes both of those possibilities, preventing Windows from running the file, and making it obvious by it's name that the file is in quarantine.

  • The file may also be marked as "hidden", or (if on a file system that supports it) the permissions on it may be reset such that the file cannot be opened by normal system processes.

  • An especially sophisticated quarantine could also encrypt or encode the file so that even if it were somehow accessed it would remain meaningless.

By and large just moving the file is sufficient to remove the potential for harm. The additional steps are just that - additional steps that further ensure that the file will not be accidentally allowed to re-infect.

"By and large just moving the file)is sufficient to remove the potential for harm."

Malware Returning from the Grave

The only way I could see malware returning from quarantine would be:

  • You explicitly, manually restored it outside of the anti-malware software. This isn't typically easy - you'll have meant to do this for some reason.

  • The anti-malware software itself was accidentally instructed to do so - most have a "restore" function, and it's possible I suppose to trigger that by accident.

I'm not aware of any malicious way that malware would return from the grave, other than simply getting infected again by whatever means your machine became infected in the first place.

As a result, I don't see a pressing need to delete malware from quarantine; it's just not likely to come back from there.

But then again I also don't see a reason not to. Once you have determined that the file is infected malware and not a false positive why would you want to leave the file on your machine? There's really no point, so in practice I would do just that - delete the files from quarantine after I'm sure that it's safe to do so.

Article C4409 - August 20, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Yeppers
August 23, 2010 3:12 PM

I’m using Norton Internet Security 2010. Norton has confirmed that it is NOT possible for the user to manually delete files that have been quarantined. I wonder why Norton would prevent you from doing that.

Priscilla
August 24, 2010 10:15 AM

I was using Webroots and it would not let me delete the quarantined items. I now use Mcafee, and haven't really tried. But, in case it doesn't, is there a way to work around it?

It depends on why it won't let you delete. Worst case you boot from a Linux Live CD and delete the file there, but there are risks that the file was needed for something important. As I said, it all depends on why.
Leo
27-Aug-2010

Mark Dales
August 24, 2010 11:37 AM

Why quarantine at all? Why not just nuke the offending files?

bri trudeau
August 24, 2010 11:45 AM

I have the same problem. How do you delete a file that your anti-virus wont allow you to? Also, at the moment my laptop is away having a `nasty` virus removed from it. When I expressed suprise that my Norton 360 hadn`t detected it, they said`Oh it detected it all right, but then it just quarantined it, leaving it to carry on infecting your system` Have I misunderstood what quarantining means? I didnt think so

No idea who "they" are, but if a quarantined file can carry on infecting your system then IMO it wasn't properly removed or quarantined.
Leo
27-Aug-2010

Frank Golden
August 24, 2010 1:37 PM

False positives are a pain. Often the only way to deal with them is to contact the anti-virus program maker.
I had a file that I knew wasn't malware but Avast!
identified it as malware and quarantined it.
It was impossible to restore it (Avast would just remove it again).
It was a little program from a trusted source that I used frequently.
It took an email to Avast! along with providing them with info about the program and it's source to fix this situation.
Avast!, after considering the info I supplied them
released an update later that day exempting that particular program, letting me reinstall it.

It took interacting with a human to rectify this situation.

Glenn P.
August 24, 2010 2:13 PM

Typo Alert: Leo wrote:

"The file identified as containing malware is moved to a folder that Windows would normally not look in - it's one of the standard places that Windows might look for programs to run, and it's not referenced by other software on the machine."

Just to point it out, Leo, in the text quoted above, I do believe when you said "it's one", that you actually meant to say "it's not one".

Please be more careful! :)

I try! Fixed... thanks for pointing it out.
Leo
27-Aug-2010

Glenn P.
August 24, 2010 2:19 PM

Mark Dales asked:

Why quarantine at all? Why not just nuke the offending files?

Because God forbid the file in question should not only be not a virus, but actually be genuinely needed! That is why the better antivirus programs will quarantine rather than nuke -- it gives the user a way to retrieve innocuous and/or needed files erroneously marked as dangerous.

Yeppers
August 24, 2010 9:42 PM

This is a reply to Priscilla’s comment on August 24, 2010. If you were using Webroot Spy Sweeper, I believe you can delete items in quarantine. First be sure you are in an Administrator User account. If memory serves me correct, select the Home tab off to the left. Under the Sweep section, there should be a link that says “# of items in quarantine” or something similar. (If there’s nothing in quarantine at the moment, you won’t see that link.) Click on that link and you’ll be directed to the Quarantine, where you can select and delete (or restore) a quarantined file.

Yeppers
October 6, 2010 7:53 PM

Leo, your comment on re-naming files gave me an idea. Let’s say I suspect a file or folder is causing a problem (non-malware in nature). After setting a restore point, can I temporarily disable that file or folder just by re-naming it? Then if I need to re-activate the file or folder, can I just change its name back to the original?

Within reason, sure - it's a common technique. The problem is that renaming a system file could render your system un-bootable.
Leo
07-Oct-2010

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.