Video Screencast Help

Need Info about structure of Symantec Quarantine Files (*.vbn)

Created: 28 Oct 2010 | 3 comments

Hi all,

I am working on an incident where th suspect might have used some sort of trojan.

For whatever reason the quarantine folder was touched. If I try to extract the suspicious file out of the quarantine archive with QEXTRACT I only get error messages.

I started to analyze the vbn-files and was able to decrypt the XOR.
However I can not see where the quarantined file itself starts inside the vbn-data.

I would REALLY appreciate if someone could give me a hint, if there is an offset stored to the file-data and where to find it

Thanks in advance!



Comments 3 CommentsJump to latest comment

sandeep_sali's picture
Navigate to the Quarantine folder
<OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine 
<OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
For every  .VBN file in this Quarantine folder there should be another folder with the same name as the .VBN file. Example: If there is a file named ABCD1234.VBN in the Quarantine folder, there should also be a folder named ABCD1234 in the Quarantine folder.
Navigate to that folder.
In this folder are the .VBN files that need to be submitted. Copy the desired .VBN file to the desktop for easy access.   
Open a web browser and visit the appropriate URL as provided by support.
Upload the file(s) as directed by the web page.
There may be multiple .VBN files located in the Quarantine file.  
These files are encrypted but if they are opened in a text editor (such as notepad.exe) the original file name can be read at the top.  
If there are multiple .VBN files present and you're unsure of which file(s) to submit, we recommend that you open the SEP/SAV interface, access Quarantine and remove everything except for the file(s) you want to submit.
These files are encrypted by Symantec in such a way that we can decrypt them for inspection.  While they do potentially contain an infection, due to the proprietary encryption used, there is no danger of infection from these specific files while moving them.

Thanks & Regards

Sandeep C Sali

Rafeeq's picture

to extract the file

you can use the sep interface

click on quarentine; you will see the list of files which are quarantined

you can restore the file ,,,,

is that why u r looking for ?

marc-r's picture

thanks for your replies...

as I mentioned, the quarantine-folder seems to be corrupted (either by the suspect or an admin...).

There are only the {session-id}-folders, the {session-id}.vbn-files are missing.

Thus I can not recover the quarantined files neither with SEP nor QEXTRACT.

Due to internal regulations I can NOT just submit the vbn-files to Symantec for extraction.

For forensic reasons I have to show that the vbn-contents are the files we're looking for.

Sorry for Symantec, but I already was able to "decrypt" the vbn-file contents with some test-viruses.

But I can't see where exactly the encrypted virus-file is stored in the vbn-file - it seems to change every time...

thats why I am asking for some insider-information regarding the vbn-file structure.

(if needed, it can be sent to my official email-account, additionally I assure non-disclosure!!)

best regards