Skip to content

knez/defender-dump

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
README.md
README.md
 
 
defender-dump.py
defender-dump.py
 
 
demo.gif
demo.gif
 
 

Repository files navigation

defender-dump

Dump quarantined files from Windows Defender

Description

Forensically list and extract quarantined files from a mounted disk. Extracted files are put into a tar archive in order to prevent accidental triggering of Defender Real-time protection.

Update: for a more robust version supporting multiple AVs see maldump

Usage

On Windows

List quarantine files located on disk C

> python3 defender-dump.py C:\

Dump quarantine files from disk C into archive quarantine.tar

> python3 defender-dump.py C:\ --dump

List quarantine files located on disk G, mounted with FTK Imager using the File System/Read Only method

> python3 defender-dump.py G:\[root]\

On Linux

List quarantine files from a mounted windows partition on /mnt/win

> ./defender-dump.py /mnt/win

Limitation

The script will list and export only entries of the type "FILE". Any other types (like Registry) are not yet supported.

License

MIT

About

Dump quarantined files from Windows Defender

reversingfun.com/posts/how-to-extract-quarantine-files-from-windows-defender/

Topics

security forensics dfir windows-defender quarantine

Resources

Readme
Activity

Stars

73 stars

Watchers

6 watching

Forks

9 forks
Report repository

Releases

2 tags

Packages

No packages published

Contributors 2

Languages