Maldump makes it easy to extract quarantined files of multiple AVs from a live system or a mounted disk image.
Supports extraction from the following AV products
- Avast Antivirus
- Avira Antivirus
- Eset NOD32
- FortiClient
- G Data
- Kaspersky for Windows Server
- Malwarebytes
- Microsoft Defender
- McAfee
- AVG
Using pip (Recommended)
$ pip install maldumpOr alternatively using git and Virtual Environment
$ git clone https://github.com/NUKIB/maldump
$ cd maldump
Create new environment and activate it
$ python3 -m venv venv
$ . venv/bin/activate
Install dependencies
(env) $ pip install -r requirements.txt
Run it as a module
(env) $ python3 -m maldump
usage: maldump [-h] [-l] [-q] [-m] [-a] [-v] root_dir
Multi-quarantine extractor
positional arguments:
root_dir root directory where OS is installed (example C:\)
optional arguments:
-h, --help show this help message and exit
-l, --list list quarantined file(s) to stdout (default action)
-q, --quar dump quarantined file(s) to archive 'quarantine.tar'
-m, --meta dump metadata to CSV file 'quarantine.csv'
-a, --all equivalent of running both -q and -m
-v, --version show program's version number and exit
-d, --dest destination for exported files
List quarantine files located on disk C
$ maldump C:\
Dump quarantine files from disk C into archive quarantine.tar
$ maldump C:\ --quar
Export quarantine metadata from disk C into quarantine.csv
$ maldump C:\ --meta
Export both files and metadata from a mounted disk F
$ maldump F:\ --all
List quarantine files from a windows partition mounted on /mnt/win
$ maldump /mnt/win
Keep in mind, all timestamps are in UTC except for "Kaspersky for Windows Server" which stores timestamps in a local timezone.
For optimal results, admin privileges are required when running on Windows system. Linux does not require admin rights.
To contribute to this project, please follow the CONTRIBUTING.
This software is licensed under GNU General Public License version 3.
- Copyright (C) 2022 National Cyber and Information Security Agency of the Czech Republic (NÚKIB)