how to build quarantine system ?

[misael]

I'm making antivirus but stuck in quarantine feature. im not sure what i do is right way

step that i doing now :

1. create folder quarantine [done]
2. move suspected file into folder quarantine [done]
3. encryption executeable file on quarantine folder. so the suspected file can't be execute again or delete by other antivirus [stuck]
4. restore suspected file to original location if my antivirus false detect [done]

in step 3, i cant find right method.

how to encryption executeable file or is there any another way to handle my problem ?

 

[Skydiver]

Why are you stuck with #3? If you are smart enough to make an antivirus program, encrypting a file should be easy. What error are you running into?

 

[misael]

Why are you stuck with #3? If you are smart enough to make an antivirus program, encrypting a file should be easy. What error are you running into?

I don't know where to start. I cant find algorithm for encryption or something like that to keep suspected file safely in the quarantine folder

 

[NoUserHere]

And what do you think would be an adequate algorithm?

What different algorithms are available to you today?

Where have you looked for any such algorithm and failed to find one?

 

[Skydiver]

You don't need anything sophisticated. It just takes changing a single byte to make an executable not be recognized as an executable. You should know this if you are really working on an antivirus program.

I really feel like you are actually writing a cheap ransomware. Why would you need to encrypt the file? Why would you need to prevent deletions by other AV software?

 

[misael]

You don't need anything sophisticated. It just takes changing a single byte to make an executable not be recognized as an executable. You should know this if you are really working on an antivirus program.

u wish I knew everything. Im only human who has many deficiencies in terms of knowledge. if I knew everything I wouldn't ask here

Dude, I really working on antivirus program. writing antivirus isn't difficult. we just need to use md5, crc32 or sha1 to match the hash of the suspected file and the hash of virus signature stored on database. if it matches then move the suspected file into the quarantine folder

I really feel like you are actually writing a cheap ransomware. Why would you need to encrypt the file? Why would you need to prevent deletions by other AV software?

if u asking me why file in quarantine folder should be encryption and should not be delete by other antivirus, it's because sometimes there are antivirus false detect then remove it and if the other antivirus can do that, it mean in the future, the virus can also restore it. I don't want it to happen . so they need my permision to access the file in quarantine folder

if u asking me what kind encryption i need. its a type of encryption that changes the hash of file and can store additional information inside the file

u try to think about this, why I building new antivirus if a Virus and other AV software can ruin my antivirus work environment? for me, it was failure to build new antivirus

why are so many paranoid people and always accuses me of making viruses ? I just want to help the other for free, Is that not enough?

my english is really bad, i hope u understand what i say

 

[misael]

And what do you think would be an adequate algorithm?

I need encryption/decryption algorithm to store additional information inside the file with condition the file cant be run. an information about where the file was found. it's enough for now

What different algorithms are available to you today?

Where have you looked for any such algorithm and failed to find one?

I tried this ->How to encrypt and decrypt files using the AES encryption algorithm in C#
but it doesn't match with my case

 

[Skydiver]

writing antivirus isn't difficult. we just need to use md5, crc32 or sha1 to match the hash of the suspected file and the hash of virus signature stored on database. if it matches then move the suspected file into the quarantine folder

It wasn't difficult back in the 80's. I know. My friend and I wrote one for our university to help stave off the virus and trojans attacking the university PCs at the time. We used the same strategy. That strategy of simply checking the hash of the files worked back then until about the early 90's. After that point, the virus writers got smarter in camouflaging and randomizing their bits.

Also how does your hashing work when the files are legitimately patched by the maker of the software? (Back then we didn't have to worry about this match since patching outside of a product release wasn't a thing we had to deal with because all the computer systems were not connected to the Internet at the time.) Is the file now suspicious because it was updated? Or will it only be suspicious if the new file hash matches something in your database?

Nowadays, you have to be a lot more sophisticated than just hashing the file. You need to be sophisticated enough to test the critical parts of the file that may contain executable code and then checking to see if small sections of it match the signature of known viruses. You can't depend on a whole file hash anymore.

 

[Skydiver]

if u asking me why file in quarantine folder should be encryption and should not be delete by other antivirus, it's because sometimes there are antivirus false detect then remove it and if the other antivirus can do that, it mean in the future, the virus can also restore it. I don't want it to happen . so they need my permision to access the file in quarantine folder

If you are that paranoid, why even place the quarantined file into another folder? Why not just put the file bits into your storage system (be it a file, an append only log file, a database, etc.)? Your own storage system can also record the origin of the file if you need to restore it. Start of with simply storing the bits into a .ZIP file. .ZIP files are nice because you can add metadata related to the file into the .ZIP. You can even password protect .ZIP files.

 

[Skydiver]

if u asking me what kind encryption i need. its a type of encryption that changes the hash of file and can store additional information into the file

You are mixing up encryption with adding metadata. Anyway, the best way to approach this is create data stream with your desired metadata followed by the file data. Encrypt this data stream and you are done.

 

[Skydiver]

u try to think about this, why I building new antivirus if a Virus and other AV software can ruin my antivirus work environment? for me, it was failure to build new antivirus

why are so many paranoid people and always accuses me of making viruses ? I just want to help the other for free, Is that not enough?

I appreciate the desire to make things better (and for free), but right now you are coming across as a script kiddie considering your lack of knowledge in some key fields that you should already be familiar with before taking on this complex task of creating AV software. The same technology that is used for making AVs can also be used to make viruses and ransomware.

 

[misael]

It wasn't difficult back in the 80's. I know. My friend and I wrote one for our university to help stave off the virus and trojans attacking the university PCs at the time. We used the same strategy. That strategy of simply checking the hash of the files worked back then until about the early 90's. After that point, the virus writers got smarter in camouflaging and randomizing their bits.

Also how does your hashing work when the files are legitimately patched by the maker of the software? (Back then we didn't have to worry about this match since patching outside of a product release wasn't a thing we had to deal with because all the computer systems were not connected to the Internet at the time.) Is the file now suspicious because it was updated? Or will it only be suspicious if the new file hash matches something in your database?

Nowadays, you have to be a lot more sophisticated than just hashing the file. You need to be sophisticated enough to test the critical parts of the file that may contain executable code and then checking to see if small sections of it match the signature of known viruses. You can't depend on a whole file hash anymore.

I have also considered the same thing, about polymorphic viruses. but I will analyze it further after the quarantine system is complete. I also haven't made real time protection system. so much that I haven't done yet

 

[Skydiver]

I need encryption/decryption algorithm to store additional information inside the file with condition the file cant be run. an information about where the file was found. it's enough for now

If you prepend header data to the file that contains your desired metadata, then you accomplish this in one fell swoop without even needing encryption. Since an executable is recognized based on its header, if you write out your own metadata followed by the original file data, then the file won't be an executable anymore. Changing the data changes the file hash.

 

[misael]

If you are that paranoid, why even place the quarantined file into another folder? Why not just put the file bits into your storage system (be it a file, an append only log file, a database, etc.)? Your own storage system can also record the origin of the file if you need to restore it. Start of with simply storing the bits into a .ZIP file. .ZIP files are nice because you can add metadata related to the file into the .ZIP. You can even password protect .ZIP files.

I think its the best way for my case. someone from another community has also suggested using zip technology to secure file quarantine but I am still looking for other suggestions to increase my knowledge.

 

[NoUserHere]

but right now you are coming across as a script kiddie

And that's why It's important that participating members of this or any other board don't go inadvertently helping someone to create the exact opposite of what you claim to be creating. And just like viruses get smarter, so do the script kiddies who make ransomware. "Script kiddies", (and I use that term lightly as its given to freely to undeserving idiots) also pretend to want to achieve one thing when asking for help, but they know well that the question they are asking can also be answered to assist with the creation of malicious tools. And I am not saying that is what you're doing, but you need to understand why topics like yours will always be a sensitive topic amongst people like us who are liable for the answers and code we might share in public. Since we don't know how you really plan on using this information you seek.

about polymorphic viruses. but I will analyze it further

And how would you go about that if any such self-replicating file did recreate itself and and also renamed itself. How will you identify it? I feel that these are things you should know the answers to. And I also feel that you are quite adamant to get us to answer you and help accomplish this ransomware for you. Call it what you want, but any file that gets locked into a vaulted folder or archive is essentially ransomware, especially if your application is the deciding factor on whether the file will ever be released or not.

Further to the first quote; your use of wording is exactly the way script kiddies write. If you really want to be taken seriously, drop the MSN/Skype lingo and write your words as they should be written in full English. Referring to :

Spoiler: Lingo Language

if u asking me why file in quarantine folder should be encryption and should not be delete by other antivirus, it's because sometimes there are antivirus false detect then remove it and if the other antivirus can do that, it mean in the future, the virus can also restore it. I don't want it to happen . so they need my permision to access the file in quarantine folder

if u asking me what kind encryption i need. its a type of encryption that changes the hash of file and can store additional information inside the file

u try to think about this, why I building new antivirus if a Virus and other AV software can ruin my antivirus work environment? for me, it was failure to build new antivirus

why are so many paranoid people and always accuses me of making viruses ? I just want to help the other for free, Is that not enough?

my english is really bad, i hope u understand what i say

Its not u, its you. I know English is not your first language but I can also tell by the literature you wrote, that you know what the words should be and how to write them. But you are simply choosing not to.

Changing the data changes the file hash.

This is where he will need to learn to rely on pattern signatures instead, and they don't teach that stuff on forums.

why I building new antivirus if a Virus and other AV software can ruin my antivirus work environment? for me, it was failure to build new antivirus

Come again? Virus and other AV software can ruin my antivirus work environment - I don't think you're meant to compare the two as they are distinctly different. One is set on deliberate destruction, and the other is set on preventative destruction. As for the later part of your sentience. Why would another Anti Virus be running along side your applications Anti Virus? And why would the other Anti Virus dissect or consume your "Anti Virus work environment", if it wasn't considered a threat?

Hmm