2015/04/11

Fun with Symantec Endpoint Protection Local Quarantine Files

I've spent some time lately tearing apart the SEP Local Quarantine files, luckily they seem to be much less complicated than the SEP Central Quarantine files, but they seem to use the same basics in terms of structures used to store data and indicate field sizes. The big problem is that once you lift VBN files from the original device, Symantec's QExtract tool is basically useless, and there is no way SEP will extract it on another machine.

Many forensic blogs suggest doing XOR to obtain the binary, but in most cases the binaries are also split into 4k chunks with data structures starting with 0x09 followed by 4 bytes indicating the size of the chunk. I think Hexacorn blog(1) was the frst to point out the existence of such "chunk separators", but Shane King(2) was the one that figured out that the 4 bytes there stand for the size of the chunk.  Having a file peppered with such chunks might ruin your day if you are going to do anything serious with the extracted file. Since, I didn't want to limit the extraction to just PE binaries, I had to try to figure out some of these structures across a set of samples that I had available.

The other day, I was almost done with the extraction piece, when one of the more anomalous .VBN files turned out to contain two payloads. Luckily, it turned out to be the exactly the same binary as the first one, well at least the size and MD5 did match.

So the code is available on github:
https://github.com/frbapolkosnik/crits_services/blob/seplq_service/SEPLQ_service/SEPLQ.py

And you can either use it in CRITs or just import it into your little script, and save the payload the way you like.

(1) http://www.hexacorn.com/blog/2012/09/21/dexray-decrypting-vbn-files-part-2/
(2) http://dofir.net/post/81425257003/a-study-of-symantecs-vbn-file-format