Maldump makes it easy to extract quarantined files of multiple AVs from a live system or a mounted disk image.
Supports extraction from the following AV products
- Avast Antivirus
- Avira Antivirus
- Eset NOD32
- FortiClient
- G Data
- Kaspersky for Windows Server
- Malwarebytes
- Microsoft Defender
Using pip (Recommended)
$ pip install maldump
Or alternatively using git and Virtual Environment
$ git clone https://github.com/NUKIB/maldump
$ cd maldump
Create new environment and activate it
$ python3 -m venv venv
$ . venv/bin/activate
Install dependencies
(env) $ pip install -r requirements.txt
Run it as a module
(env) $ python3 -m maldump
usage: maldump [-h] [-l] [-q] [-m] [-a] [-v] root_dir
Multi-quarantine extractor
positional arguments:
root_dir root directory where OS is installed (example C:\)
optional arguments:
-h, --help show this help message and exit
-l, --list list quarantined file(s) to stdout (default action)
-q, --quar dump quarantined file(s) to archive 'quarantine.tar'
-m, --meta dump metadata to CSV file 'quarantine.csv'
-a, --all equivalent of running both -q and -m
-v, --version show program's version number and exit
List quarantine files located on disk C
$ maldump C:\
Dump quarantine files from disk C into archive quarantine.tar
$ maldump C:\ --quar
Export quarantine metadata from disk C into quarantine.csv
$ maldump C:\ --meta
Export both files and metadata from a mounted disk F
$ maldump F:\ --all
List quarantine files from a windows partition mounted on /mnt/win
$ maldump /mnt/win
Keep in mind, all timestamps are in UTC except for "Kaspersky for Windows Server" which stores timestamps in a local timezone.
For optimal results, admin privileges are required when running on Windows system. Linux does not require admin rights.
To contribute to this project, follow these steps:
- Fork this repository.
- Create a branch:
git checkout -b <branch_name>
- Make your changes and commit them:
git commit -m '<commit_message>'
- Push to the original branch:
git push origin <project_name/location>
- Create a pull request.
This software is licensed under GNU General Public License version 3.
- Copyright (C) 2022 National Cyber and Information Security Agency of the Czech Republic (NÚKIB)