Jump to content
AlexLeadingEdge

Feature Request - Add hash of all quarantined files

Recommended Posts

Hi guys,

I'm just working on your cloud system and some files popped up last night that were flagged as malware and quarantined. That's fine, but I would like to take the MD5 or SHA256 hash of these files and put it into the likes of virustotal.com to see if it is a false positive, which I suspect they are. At the moment I can't see any details about the quarantined files other than a Detection ID and Scan ID, which seems meaningless to anyone outside of Malwarebytes. My only option seems to be to release the quarantined files and then upload them manually to virustotal from the end user's computer, which seems extremely risky.

Share this post


Link to post
Share on other sites

Hi @AlexLeadingEdge, that would be a nifty thing to add for the admins that like to research. I'll help get that submitted. Here's where you can find that info until it becomes a feature: 

In Quarantine, click on the detected threat and look for the Detection ID, this is the hash of the quarantine file. In this example, my Detection ID is 7a06df44-1524-11e9-bf13-00ff70609f10, so there should be a 7a06df44-1524-11e9-bf13-00ff70609f10.quar and 7a06df44-1524-11e9-bf13-00ff70609f10.data file in C:\ProgramData\Malwarebytes\MBAMService\Quarantine on the endpoint.

On the endpoint, go to C:\ProgramData\Malwarebytes\MBAMService\ScanResults, look in the hashed *.json file with the same-ish timestamp as your scan, open the json in a text editor, confirm you have the right scan file to quarantine files by finding this line:

[ID of the scan result json]
{
   "applicationVersion" : "3.6.1.2716",
   "clientID" : "Endpoint Agent:[clientID]",
   "clientType" : "agentScan",
   "componentsUpdatePackageVersion" : "1.0.478",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.8718",
   "detectionDateTime" : "2019-01-10T22:09:55Z",
   "fileSystem" : "NTFS",
   "id" : "760fa592-1524-11e9-9f28-00ff70609f10",

 

A little later in the scan result json you can find the ID again, along with the MD5 and SHA256 of the detected and quarantined file(s).

   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "quarantine",
            "cleanContext" : {
            },
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2019-01-10T22:10:46Z",
            "generatedByPostCleanupAction" : false,
            "id" : "7a06df44-1524-11e9-bf13-00ff70609f10",
            "linkType" : "none",
            "objectMD5" : "3B9269B0C31CA2CCFB30D75A83B0609E",
            "objectPath" : "C:\\USERS\\DJACOBSON\\DESKTOP\\TEST-TROJAN.EXE",
            "objectSha256" : "FC0771A47FFF3909627D224119BC4C9AD3CF8F11EA33CD7CE61A9B8894F5C23C",
            "objectType" : "file",

Share this post


Link to post
Share on other sites

Thanks for the work-around Dyllon, will do that for this incident. Unfortunately it still involves me connecting to the local machine, which is a hassle if the end user is not on a domain, which is the case with this machine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.