While you can click on "see full history" to display all items that the security program quarantined, you will notice right away that the buttons to remove or restore files are missing there. Windows Defender Security Center limits the threats to five on that page. I mentioned the lack of details already, but it is just one of the issues that you may run into.Īnother is that you may only get old files listed under quarantined threats. The current version of Windows Defender Security Center has quite a few issues in this regard.
Remove deletes the file from the quarantine, restore on the other hand may restore it on the system so that you may access it. Details displays the file name, but it may not be enough to identify the file, as Windows Defender may display a temporary name. I have no doubts that the developers of these tools will adjust them to handle Flash objects more effectively.A click on the row displays options to restore the file or remove it, and to display details. (This is why using Flash in PDFs is more attractive to some attackers at the moment than utilizing JavaScript.) Despite this present limitation, there awe excellent tools that can save you a lot of time. The automated online analysis tools Jsunpack, Wepawet and Gallus weren’t able to handle Flash-based PDF malware, even though they do really well with JavaScript embedded in PDF files. While attackers have historically used JavaScript, that file demonstrated a relatively recent technique of launching exploits with the help of Flash object instead.
To capture the screen shots above, I used the same “The Obama Administration and the Middle East.pdf” file I mentioned in my posting How to Extract Flash Objects from Malicious PDF Files. The options include: VirusTotal, Jotti’s Malware Scan, Filterbit and VirSCAN. If you merely need to know whether antivirus products identify a particular PDF file as malicious, without gaining much insight into the file’s inner-workings, you can upload the PDF to free online services that scan files using multiple antivirus engines. Its present implementation seems to focus on JavaScript, and it was unable to identify the PDF sample that included a Flash-based exploit as malicious. Gallus by M圜ERT is an on-line scanner for PDF files, which is able to identify common exploits. (However, it did not flag the PDF file I uploaded as malicious.) Like Jsunpack, its strength is in examining JavaScript for shellcode and suspicious actions. Wepawet by UCSB Computer Security Lab is an automated tool for identifying malicious client-side components in the form of PDF, Flash and JavaScript elements. (The example I uploaded used Flash, rather than PDF, so Jsunpack didn’t locate malicious artifacts in this case.) It can also examine PDF files for malicious JavaScript artifacts. Its features also include carving contents of network packet capture (PCAP) files and identifying common client-side exploits. Jsunpack by Blake Hartstein is designed for automatically examining and deobfuscating JavaScript. In this way, it differs from Jsunpack and Wepawet, which focus on automating the analysis as much as possible.
This tools lends itself well to manual PDF analysis tasks. PDF Examiner by Malware Tracker is able to scan the uploaded PDF for sveral known expoits, allows the user to explore the structure of the file, as well as examine, decode and dump PDF object contents.
The list includes PDF Examiner, Jsunpack, Wepawet and Gallus.
These online tools automate the scanning of PDF files to identify malicious components.
There are also several handy web-based tools you can use for analyzing suspicious PDFs without having to install any tools. In an earlier post I outlined 6 free local tools for examining PDF files.