Multi-quarantine extractor
Project description
maldump
Maldump makes it easy to extract quarantined files of multiple AVs from a live system or a mounted disk image.
Features
Supports extraction from the following AV products
- Avast Antivirus
- Avira Antivirus
- Eset NOD32
- FortiClient
- G Data
- Kaspersky for Windows Server
- Malwarebytes
- Microsoft Defender
- McAfee
- AVG
Installation
Using pip (Recommended)
$ pip install maldump
Or alternatively using git and Virtual Environment
$ git clone https://github.com/NUKIB/maldump
$ cd maldump
Create new environment and activate it
$ python3 -m venv venv
$ . venv/bin/activate
Install dependencies
(env) $ pip install -r requirements.txt
Run it as a module
(env) $ python3 -m maldump
Usage
usage: maldump [-h] [-l] [-q] [-m] [-a] [-v] root_dir
Multi-quarantine extractor
positional arguments:
root_dir root directory where OS is installed (example C:\)
optional arguments:
-h, --help show this help message and exit
-l, --list list quarantined file(s) to stdout (default action)
-q, --quar dump quarantined file(s) to archive 'quarantine.tar'
-m, --meta dump metadata to CSV file 'quarantine.csv'
-a, --all equivalent of running both -q and -m
-v, --version show program's version number and exit
-d, --dest destination for exported files
Examples
On Windows
List quarantine files located on disk C
$ maldump C:\
Dump quarantine files from disk C into archive quarantine.tar
$ maldump C:\ --quar
Export quarantine metadata from disk C into quarantine.csv
$ maldump C:\ --meta
Export both files and metadata from a mounted disk F
$ maldump F:\ --all
On Linux
List quarantine files from a windows partition mounted on /mnt/win
$ maldump /mnt/win
Disclaimer
Keep in mind, all timestamps are in UTC except for "Kaspersky for Windows Server" which stores timestamps in a local timezone.
For optimal results, admin privileges are required when running on Windows system. Linux does not require admin rights.
Contributing
To contribute to this project, please follow the CONTRIBUTING.
License
This software is licensed under GNU General Public License version 3.
- Copyright (C) 2022 National Cyber and Information Security Agency of the Czech Republic (NÚKIB)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file maldump-0.5.0.tar.gz.
File metadata
- Download URL: maldump-0.5.0.tar.gz
- Upload date:
- Size: 127.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | aba1d216c8a02a8eedd9a2f38ee20ae07702f5e93cf6e4a467ff60f3b94454e1 |
|
| MD5 | c1e11924da81239fa31bc4493048a450 |
|
| BLAKE2b-256 | c336b09cf0bfb75d9d1823df28bcaaf1e3cc217aa6e3a6826e2624c4f03f4025 |
File details
Details for the file maldump-0.5.0-py3-none-any.whl.
File metadata
- Download URL: maldump-0.5.0-py3-none-any.whl
- Upload date:
- Size: 159.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5c7ed44d408fe6a454dbca3bc47795d09cdf0601035fd8fa0dc6004e730c5d6e |
|
| MD5 | d697aab8005a614a0649fd07169f448f |
|
| BLAKE2b-256 | 27222d94b48d2ed4948f3324232b5a60dca3fdefaf91dd049e4de82b0e75e8f5 |
