Jump to content

Feature Request - Add hash of all quarantined files

Recommended Posts

Hi guys,

I'm just working on your cloud system and some files popped up last night that were flagged as malware and quarantined. That's fine, but I would like to take the MD5 or SHA256 hash of these files and put it into the likes of virustotal.com to see if it is a false positive, which I suspect they are. At the moment I can't see any details about the quarantined files other than a Detection ID and Scan ID, which seems meaningless to anyone outside of Malwarebytes. My only option seems to be to release the quarantined files and then upload them manually to virustotal from the end user's computer, which seems extremely risky.

Link to post
Share on other sites

  • Staff

Hi @AlexLeadingEdge, that would be a nifty thing to add for the admins that like to research. I'll help get that submitted. Here's where you can find that info until it becomes a feature: 

In Quarantine, click on the detected threat and look for the Detection ID, this is the hash of the quarantine file. In this example, my Detection ID is 7a06df44-1524-11e9-bf13-00ff70609f10, so there should be a 7a06df44-1524-11e9-bf13-00ff70609f10.quar and 7a06df44-1524-11e9-bf13-00ff70609f10.data file in C:\ProgramData\Malwarebytes\MBAMService\Quarantine on the endpoint.

On the endpoint, go to C:\ProgramData\Malwarebytes\MBAMService\ScanResults, look in the hashed *.json file with the same-ish timestamp as your scan, open the json in a text editor, confirm you have the right scan file to quarantine files by finding this line:

[ID of the scan result json]
   "applicationVersion" : "",
   "clientID" : "Endpoint Agent:[clientID]",
   "clientType" : "agentScan",
   "componentsUpdatePackageVersion" : "1.0.478",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.8718",
   "detectionDateTime" : "2019-01-10T22:09:55Z",
   "fileSystem" : "NTFS",
   "id" : "760fa592-1524-11e9-9f28-00ff70609f10",


A little later in the scan result json you can find the ID again, along with the MD5 and SHA256 of the detected and quarantined file(s).

   "threats" : [
         "linkedTraces" : [

         "mainTrace" : {
            "cleanAction" : "quarantine",
            "cleanContext" : {
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2019-01-10T22:10:46Z",
            "generatedByPostCleanupAction" : false,
            "id" : "7a06df44-1524-11e9-bf13-00ff70609f10",
            "linkType" : "none",
            "objectMD5" : "3B9269B0C31CA2CCFB30D75A83B0609E",
            "objectPath" : "C:\\USERS\\DJACOBSON\\DESKTOP\\TEST-TROJAN.EXE",
            "objectSha256" : "FC0771A47FFF3909627D224119BC4C9AD3CF8F11EA33CD7CE61A9B8894F5C23C",
            "objectType" : "file",

Link to post
Share on other sites

  • 2 years later...

It's been over 2 years since this post and feature request, curious if anyone can provide an update as to when Malwarebytes will include the MD5 hash for detections /  quarantined files. Thank you in advance for your time in responding to this ancient topic. 




  • Like 1
Link to post
Share on other sites

  • Root Admin

Hello @xristo I know the team is working on improvements but I've alerted the team to your feedback as well.

Just an FYI that I did post to another user today - though I do understand it's not quite the same as having an easier method within the program.


On Windows 10 you can get the MD5 from a command prompt

certutil -hashfile notepad.exe MD5

Returns the following

MD5 hash of notepad.exe:



Thank you again for your feedback


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.