Maldump makes it easy to extract quarantined files of multiple AVs from a live system or a mounted disk image.
Supports extraction from the following AV products
- Avast Antivirus
- Avira Antivirus
- Eset NOD32
- FortiClient
- G Data
- Kaspersky for Windows Server
- Malwarebytes
- Microsoft Defender
- McAfee
- AVG
In order to use maldump, you can:
- Download the latest binaries from releases (recommended).
- Install using pip.
- Install using git & PDM (for development).
pip install maldumpgit clone https://github.com/NUKIB/maldump
cd maldump
pdm install
pdm run python -m maldump
usage: maldump [-h] [-l] [-q] [-m] [-a] [-v] root_dir
Multi-quarantine extractor
positional arguments:
root_dir root directory where OS is installed (example C:\)
optional arguments:
-h, --help show this help message and exit
-l, --list list quarantined file(s) to stdout (default action)
-q, --quar dump quarantined file(s) to archive 'quarantine.tar'
-m, --meta dump metadata to CSV file 'quarantine.csv'
-a, --all equivalent of running both -q and -m
-v, --version show program's version number and exit
-d, --dest destination for exported files
List quarantine files located on disk C
maldump C:\
Dump quarantine files from disk C into archive quarantine.tar
maldump C:\ --quar
Export quarantine metadata from disk C into quarantine.csv
maldump C:\ --meta
Export both files and metadata from a mounted disk F
maldump F:\ --all
List quarantine files from a windows partition mounted on /mnt/win
maldump /mnt/win
Keep in mind, all timestamps are in UTC except for "Kaspersky for Windows Server" which stores timestamps in a local timezone.
For optimal results, admin privileges are required when running on Windows system. Linux does not require admin rights.
To contribute to this project, please follow the CONTRIBUTING.
This software is licensed under GNU General Public License version 3.
- Copyright (C) 2022 National Cyber and Information Security Agency of the Czech Republic (NÚKIB)