Qual è la quarantena del software antivirus? Sono solo alcuni severi diritti utente / di gruppo e la modifica dell'estensione del file o si tratta di uno spostamento reale dei file in un ambiente virtuale?
In che modo questo software impedisce a un virus di eseguire o uscire da tale sandbox / quarantena?
Molte funzioni AV allo stesso modo, ma potrebbero avere diversi meccanismi di azione specifici . In generale funzionano così:
When MBAM removes an item such as a file or a Registry entry and "quarantines" the item, it is removed from its original location and stored in a protected container. Both the removed item and it location are stored in the container in a way that the file is rendered inert and the location of where it was removed from is also restored. Thus if it is deemed to be a False Positive declaration, the item removed (file or Registry entry) can be restored to its original and working state. If however the item(s) are deemed to be justly removed for malicious activity, the quarantine can be "dumped" such that can not be restored and the container no longer holds any more quarantined items or you can choose to be selective on what is dumped from quarantine.
C'è anche un altro post su InfoSec SE che ha alcune informazioni aggiuntive:
In most anti-virus programs, the quarantine files are stored in internal binary formats. Since there is no physical connection between the infector file to your system (your anti-virus program works as the storage format is also a plus point), it is not dangerous.
Leggi altre domande sui tag malware virus sandbox antivirus antimalware