Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-02-19 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Getting viruses out of the AVG virus vault

Published: 2006-02-19
Last Updated: 2006-02-19 20:37:17 UTC
by donald smith (Version: 1)
0 comment(s)
Recently, I needed to explain to someone how to get a virus out of the virus valult included in the free version of AVG anti-virus for submittal so I could analysis it. For additional information on the free version of avg try their forum

Here are the steps I documented.
I loaded a test virus named eicar on my system to work out the details.Its not really a virus. It will not spread, infect or damage your computer. Rather its a string that nearly every antivirus product recognize as a virus.
More information on eicar is available here:

This process includes disabling portions of your antivirus software. Don't forget to reenable it and I would recommend you disconnect from ALL networks while your av scanner is disabled.
AVG's virus vault is located in a hidden folder at the "top" of the C drive.
Its called C:\$VAULT$.AVG.

Steps to export viruses from the AVG vault for analysis.

 1: Create a directory to store the files in.
 2: Open avg.
 3: Select the virus vault.
 4: Click on the virus you wish to restore.
 5: Choose restore, that will prompt you for the directory to restore the virus into.
 6: Select the directory created in step 1
 7: avg will alert again if its in active monitoring mode. choose continue.
 8: Turn off avg resident shield protection if you plan to package the viruses up for submittal for malware analysis.
9: Select the AVG resident shield and unselect "turn on avg resident shield protection", Click apply.
     Remember to turn resident shield back on as soon as your done with the virus.

 Steps to package up a directory of infected files for submittal malware analysis.

1: open winzip
     If its not installed you can get a 45 day trial version here
     If you use it more then 45 days please pay for it.
     I wrote these directions assuming you will choose classic winzip not the wizard during installation.
 2: Select new
 3: Select a filename and location. C:\bad is the one I used. This is where the zip file will be created.
 4: In the options portion select the box that says encrypt added files.
 5: In the "look in" bar go to the directory you saved the virus in (infected).
 6: Type a password. You will have to verify it. Any encryption is usually acceptable. "infected" is the
     most commonly used password for anti-virus vendors and malware analysis professionals.

0 comment(s)

DHS wants your comments.

Published: 2006-02-19
Last Updated: 2006-02-19 16:19:27 UTC
by donald smith (Version: 1)
0 comment(s)

DHS wants to improve software security.

They have put up a website to help programmers make more secure software.
They would also like comments on two documents.
The Software Lifecycle, and The Software Assurance Common Body of Knowledge.
The documents and an online comment form are available at the Build Security In Website.
Comments on the two documents are due by Tuesday, February 21.

0 comment(s)
Diary Archives