unQuar - Tool for Advanced Analyzing and Extracting Files from Antivirus Quarantines

unQuar is a utility that gives you direct access to the contents of various antivirus quarantines. View, analyze, and safely extract files that antiviruses have isolated as potentially dangerous.

🔍 What Does unQuar Do?

• Automatically finds quarantines of popular antiviruses on all connected drives
• Analyzes quarantine contents without modifying the original data
• Safely extracts files with protection against accidental execution
• Verifies data integrity using checksums

🛡️ Safety First

• Read-only operation - unQuar never modifies the original quarantine files
• Protected extraction - files are saved with .infected extension or in password-protected ZIP archives

🎯 Who Is This Tool For?

unQuar is useful for:

• Cybersecurity professionals for incident analysis and false positive investigation
• System administrators to restore mistakenly blocked files
• Curious users wanting to understand how antiviruses work "under the hood"
• Forensic analysts examining drives from compromised systems

⚠️ Important Warning

Files in quarantine were isolated by antivirus as potentially dangerous. Extraction and use of such files should be done with extreme caution, only if you're confident in their safety or are conducting analysis in an isolated environment. unQuar is a tool for those who understand what they're doing. If you're unsure about extracting files from quarantine - you probably don't need to do it.

Download

The current version of unQuar is 1.26.4.12. The utility can be run on any version of Windows starting with Windows XP. It requires no installation or additional frameworks and is completely portable.

Viewing a Report of Metadata

To view metadata associated with a quarantined item:

1. Select the quarantine object you're interested in
2. Click the Open report button
3. The program instantly generates a text report with all the data it was able to extract

Sample report for an object from Windows Defender quarantine:

D:\Downloads\eicar.com

Information about the object was extracted from the following files:
C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries\{80008A1B-0000-0000-9076-446FB1E532B1}
C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\38\3818F4778CB70846BA5AB4B7E356E5C3B4D6345D

Size:                68
Windows attributes:  A
Date created:        09-Mar-26 22:40:47 UTC
Date modified:       09-Mar-26 22:40:47 UTC
Date accesses:       09-Mar-26 22:40:59 UTC
Security descriptor: O:S-1-5-21-2572243032-1700205690-2982527160-1001G:S-1-5-21-2572243032-1700205690-2982527160-513D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1301bf;;;AU)(A;;0x1200a9;;;BU)
Date quarantined:    09-Mar-26 22:41:11 UTC
Detection:           Virus:DOS/EICAR_Test_File

Calculated hashes:
MD5:     44D88612FEA8A8F36DE82E1278ABB02F
SHA-1:   3395856CE81F2B7382DEE72602F798B642F14140
SHA-256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F

Raw metadata extracted from the file "C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries\{80008A1B-0000-0000-9076-446FB1E532B1}":
ID:               {80008A1B-0000-0000-9076-446FB1E532B1}
ScanID:           {6811819B-040D-49F4-BE22-A7531A61EA67}
DateQuarantined:  134175696714155000 (0x01DCB015D42343F8, 2026.03.09 22:41:11.415)
ThreatId:         2147519003 (0x0000000080008A1B)
Detection:        Virus:DOS/EICAR_Test_File
ObjectName:       \\?\D:\Downloads\eicar.com
ObjectType:       file
DataID:           38 18 F4 77 8C B7 08 46 BA 5A B4 B7 E3 56 E5 C3 8.фwЊ·.FєZґ·гVеГ
                  B4 D6 34 5D                                     ґЦ4]
Size:             68 (0x0000000000000044)
DateModified:     134175696474013643 (0x01DCB015C5D2FFCB, 2026.03.09 22:40:47.401)
DateAccessed:     134175696596792435 (0x01DCB015CD247473, 2026.03.09 22:40:59.679)
DateCreated:      134175696471810009 (0x01DCB015C5B15FD9, 2026.03.09 22:40:47.181)
Attributes:       32 (0x00000020)
PhysicalPath:     D:\Downloads\eicar.com
DetectionContext: B0 DD 2D DC 55 05 00 00                         °Э-ЬU...

Raw metadata extracted from the file "C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\38\3818F4778CB70846BA5AB4B7E356E5C3B4D6345D":
SecurityDescriptor: O:S-1-5-21-2572243032-1700205690-2982527160-1001G:S-1-5-21-2572243032-1700205690-2982527160-513D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1301bf;;;AU)(A;;0x1200a9;;;BU)

Alternate data stream ":Zone.Identifier:$DATA":
[ZoneTransfer]
ZoneId=3
HostUrl=https://secure.eicar.org/eicar.com

Report structure:

1. Full object path. The original file path before it was quarantined.
2. Source quarantine files. Lists the actual quarantine files from which information was extracted.
3. Structured metadata. Key metadata extracted from the quarantine: file sizes, attributes, timestamps (creation/modification/access), security descriptor, quarantine date and detection name, stored checksums. Important: this metadata describes the object stored inside quarantine, not the quarantine file itself. The exact set of fields varies depending on the antivirus, as different programs store different information.
4. Calculated hashes. Checksums calculated by unQuar independently. If a calculated hash differs from the one stored in quarantine metadata, a note is included in the report. For more information about checksum discrepancies, see the Checksum Verification and Data Integrity section.
5. PE metadata (if applicable).
6. Raw metadata. All available metadata in its raw, unprocessed form. This section varies significantly between antivirus types, as different programs store vastly different information in their quarantine formats.
7. Alternate Data Streams (ADS). If the quarantined file contains any alternate data streams (NTFS-specific), they are displayed in this section.

How the Report Helps in Incident Investigation

The unQuar report isn't just a technical dump - it's a full-fledged forensic tool that provides critically important information when analyzing security incidents.

🕒 Timeline Reconstruction

Timestamps in the report help establish the exact sequence of events:

• Date created/modified/accessed - shows how long the file existed in the system before detection
• Date quarantined - the precise moment when the antivirus intervened
• Comparing these dates reveals the dwell time - how long the file was present before detection

🔍 Threat Identification

• Detection name - the antivirus's classification helps understand the threat type (trojan, worm, hack tool)
• Original path - file location can indicate its purpose (temp folders often suggest droppers, system folders suggest rootkits)
• PE metadata - for executables, fields like OriginalFilename and FileDescription can reveal masquerading attempts (e.g., a file named svchost.exe but with a non-system description)

📦 Understanding Complex Threats

• Embedded object indicators - when raw data shows paths like Dharma.exe=>EVER\1saas\1sass.exe, it reveals that the threat was inside a container
• Detection context - some antiviruses store additional data about what exactly triggered the detection

🌐 Tracing File Origin

• Zone.Identifier streams - show whether a file was downloaded from the internet and contain the exact source URL

🔗 Correlating with Other Evidence

• File hashes - can be used to search for related samples in threat intelligence platforms
• Security descriptors - may reveal permission information indicating privilege escalation attempts

📋 Documentation for Reporting

• Complete raw data can be included in incident reports as evidence
• Provides auditors or other analysts with the exact information the antivirus had at the time of detection

Documentation

How Quarantine Search Works

When launched, unQuar searches for antivirus quarantine files. The search is based exclusively on a predefined list of file paths. No deep system analysis is performed - if a quarantine is located in a non-standard directory, it will not be detected. In this case, please inform me about your configuration - I will add this path in the next version of the program.

unQuar scans all connected hard drives, not just the system partition. This allows analyzing quarantines on drives with non-functional systems - you can connect a drive from a system damaged by a virus attack and examine the quarantine for digital evidence.

Search Results

All detected quarantines are displayed as a list with:

• Name of the antivirus program (determined solely based on the file path)
• Physical location of the quarantine files

The antivirus name will in most cases be generic without specifying the exact edition or version.

The number of items in the list varies: some antiviruses store files in a single centralized directory, others create separate quarantine directories on each hard drive (each displayed as a separate item).

Quarantines from previously used but already uninstalled antivirus programs may be detected.

Analyzing Quarantine Contents

After selecting a quarantine from the list, unQuar begins analyzing its contents. The analysis duration depends on the type of antivirus program and the number of items in the quarantine. For each found object, the following is displayed:

• Original path before the object was quarantined
• Object type
• Date the object was quarantined
• Name of the virus detected in the object

In rare cases, not all information may be available due to specifics of the particular antivirus's data storage format.

Date Display Formats and Their Interpretation

• Date quarantined: 2023-10-05 14:30:00

The date the object was quarantined was recorded in the quarantine files in UTC format, but is displayed according to the system's current time zone.

• Date quarantined: 2023-10-05 14:30:00 (L)

The date was recorded in the quarantine files in local time and is displayed unchanged "as is". The letter L in parentheses indicates local time.

• Estimated date quarantined: 2023-10-05 14:30:00

The date the object was quarantined was not found in the quarantine files. As the date, the modification date of the quarantine file itself is displayed according to the system's current time zone.

Special Situations and Error Handling

Working with an Active Antivirus

If you open a quarantine from a running antivirus program, some quarantine files may be locked by the antivirus itself. In this case, unQuar will request permission to continue with elevated administrator privileges.

• If granted, locked files will be processed
• If denied, locked files will be skipped

A similar situation occurs if the antivirus program has set DACL (Discretionary Access Control List) permissions on the quarantine directory and its files that prevent regular users from opening them.

Errors During Quarantine Analysis

If errors occur during analysis, their list is displayed immediately after analysis completes.

Error types:

• "Physical" errors. Inability to open a file, data read errors. The program cannot do anything about these errors.
• "Logical" errors. Discrepancy between expected data and structures within quarantine files and the actual data. These errors can (and should) be fixed by improving parsing algorithms.

If you encounter logical errors, please send me the problematic files for analysis - this will allow me to fix the algorithms, and future versions of the program will work more correctly.

Operations with Quarantine Objects

Important principle: unQuar always opens files in read-only mode and never modifies the actual quarantine contents.

Available Actions:

Open report. Opens a window with a detailed text report about the selected quarantine object. The report contains all available information that unQuar was able to extract.

Open VT report. Opens a browser page to VirusTotal.com with a report on the selected quarantine object. If the object hasn't been uploaded to VirusTotal before, the report will be empty.

If you place the VT Uploader utility in the same folder as unQuar, the behavior changes. When you click the button, unQuar will launch VT Uploader and pass the quarantine file to it for uploading to VirusTotal. How VTUploader processes the passed file is determined by the Action when opening a file setting within VT Uploader itself. Please configure this setting according to your needs.

unQuar checks for the presence of any of the following files in its directory: VTUploader.exe, VTUploader.64.exe, VTUploader.32.exe. If at least one of these files exists, VT Uploader will be launched instead of opening the browser directly.

Save as. Saves the selected quarantine object as a file for further analysis. Security measure: the file is saved with an additional .infected extension to prevent accidental execution and system infection.

Save PWD ZIP as. Saves the selected quarantine object as an encrypted ZIP file. Decryption password: "infected" (without quotes). Useful if the running antivirus immediately deletes extracted files. Allows safe file transfer via email for analysis.

Checksum Verification and Data Integrity

If quarantine files contain an object's checksum in their metadata, this checksum is verified against the actual checksum when performing any operation (saving, opening a report). In case of mismatch, a corresponding warning is displayed.

Why might checksums not match:

1. Technical issues (rare)
   • The antivirus program saved the checksum or the file itself incorrectly (unlikely)
   • A decoding error occurred within unQuar
2. Checksum refers to an embedded object

Some antivirus programs (e.g., 360 Total Security) don't hash the entire file - they hash only the embedded object they detected as malicious, while storing the full container file in quarantine.

Example: when scanning Dharma.exe, the antivirus detects a threat inside embedded object EVER\1saas\1sass.exe. It stores:

• The full Dharma.exe file in quarantine
• The checksum of only the embedded 1sass.exe in the metadata

Result: the checksum of the full file won't match the stored checksum - even though everything was stored correctly.

In most cases, if the checksums don't match, you can view the object's text report and see an explanation in the raw data. For the example case, you might see the following lines in the raw data:

@208: E:\Ransomware\Dharma.exe=>EVER\1saas\1sass.exe
@209: E:\Ransomware\Dharma.exe

List of supported antivirus programs

unQuar can extract objects from quarantines of the following antivirus programs (names and file paths where the utility searches for quarantine files):

1. 360 Total Security (c) Beijing Qihu Keji Co. Ltd.: 360safe.Summary.dat + .q3q files, .vir files
   • %DRIVE%:\$360Section
   • %DRIVE%:\360Rec
2. Acronis (c) Acronis International GmbH: .zip files
   • %PROGRAMDATA%\Acronis\NGMP\quarantine
3. Adlice Diag (c) Adlice Software: .meta files + .vir files
   • %PROGRAMDATA%\ADiag\quarantine
4. Adlice Protect (RogueKiller) (c) Adlice Software: .meta files + .vir files
   • %PROGRAMDATA%\RogueKiller\quarantine
5. Advanced System Protector (c) Systweak Software: QDetail.db + ._qt_ files
   • %APPDATA%\Systweak\Advanced System Protector\Quarantine
6. AhnLab (c) AhnLab, Inc.: quarantine files (magic "kp"\0x01\0x01"AhnLab Quarantine Data File"), .V3B files (magic "AhnLab Inc. 2006")
   • %PROGRAMFILES%\AhnLab\V3Lite40\Quarantine
   • %PROGRAMFILES%\AhnLab\V3IS90\Quarantine
   • %PROGRAMFILES%\AhnLab\V3IS80\Backup\V3B
   • %PROGRAMFILES%\AhnLab\V3IS2007\Backup\V3B
7. ALYac (c) ESTsecurity Corp: .aqi files + .ayq files (magic "AYCFS")
   • %PROGRAMDATA%\ESTsoft\ALYac\quarantine
   • %PROGRAMDATA%\ESTsoft\ALYac\collect
8. Amiti Antivirus (c) NETGATE Technologies s.r.o.: .ifc files
   • %APPDATA%\Amiti Antivirus\Cage
9. Arcabit (c) Arcabit: .aqv files
   • %PROGRAMDATA%\Arcabit\quarantine
10. Ashampoo Anti-Virus (c) Ashampoo GmbH & Co. KG: .EQF files (magic \0xF0\0xD9\0x86\0xA7\0xB1\0xEE\0xD9\0x47\0xB9\0xD4\0x58\0x14\0x65\0x6E\0x02\0x70)
    • %PROGRAMFILES%\Ashampoo\Ashampoo Anti-Virus\Quarantine
11. AulapG (c) Fajar Anggiawan: quarantine.ini + data files
    • %LOCALAPPDATA%\AulapG\Quarantine
12. Auslogics Anti-Malware (c) Auslogics Labs Pty Ltd: .info files + .quarantine files
    • %DRIVE%:\anti-malware.quarantine
13. Avast (c) Gen Digital Inc.: vault.db + .dat files, index.xml + data files
    • %DRIVE%:\$AV_ASW\$VAULT
    • %PROGRAMDATA%\AVAST Software\Avast\$AV_ASW\$VAULT
    • %PROGRAMDATA%\AVAST Software\Avast\chest
14. AVG (c) Gen Digital Inc.: vault.db + .dat files, index.xml + data files
    • %DRIVE%:\$AV_AVG\$VAULT
    • %PROGRAMDATA%\AVG\Antivirus\$AV_AVG\$VAULT
    • %PROGRAMDATA%\AVG\Antivirus\chest
15. Avira Antivirus (c) Avira Operations GmbH.: .qua files (magic "AntiVir Qua")
    • %PROGRAMDATA%\Avira\Antivirus\INFECTED
    • %PROGRAMDATA%\Avira\AntiVir Desktop\INFECTED
    • %PROGRAMDATA%\Avira\AntiVir PersonalEdition Classic\INFECTED
    • %PROGRAMDATA%\AntiVir PersonalEdition Classic\INFECTED
16. Avira Security (c) Avira Operations GmbH.: .qua files
    • %PROGRAMDATA%\Avira\Endpoint Protection SDK\quarantine
17. Baidu Antivirus (c) Baidu: .qv files
    • %PROGRAMFILES%\Baidu Security\Baidu Antivirus\%VERSION%\qv
18. BitDefender (c) Bitdefender: .dat files + .bdq files
    • %PROGRAMDATA%\Bitdefender\Desktop\Quarantine
    • %PROGRAMDATA%\Bitdefender\Desktop\QuarantineBackup
19. CMC Antivirus (c) CMC Cyber Security: .cmc files (magic "CMC Quarantined Malware")
    • %PROGRAMFILES%\CMC\Antivirus\JAIL
20. Combo Cleaner (c) RCS LT: .dat files + .bdq files
    • %PROGRAMFILES%\Combo Cleaner\quarantine
21. Comodo (c) Comodo Security Solutions, Inc.: [{GUID}.info files] + {GUID} files
    • %PROGRAMDATA%\Comodo\Cis\Quarantine\data
    • %DRIVE%:\CCE_Quarantine
22. C-Prot/Chomar (c) C-Prot UK: Chomar.db + .7z files
    • %PROGRAMDATA%\CHOMAR\Antivirus\Quarantine
    • %PROGRAMDATA%\CHOMAR\Internet Security\Quarantine
23. CybeeAI (c) Cybee.ai: data files
    • %PROGRAMFILES%\CybeeAI\Quarantine
24. CyberLock (c) VoodooSoft, LLC: quarantine.db + .voo files
    • %PROGRAMDATA%\CyberLock\Quarantine
25. Dr.Web/Dr.Web CureIt! (c) Doctor Web: .met files + data files
    • %DRIVE%:\DrWeb Quarantine
    • %USERPROFILE%\Doctor Web\CureIt Quarantine
26. Emsisoft (c) Emsisoft: .EQF files (magic \0xF0\0xD9\0x86\0xA7\0xB1\0xEE\0xD9\0x47\0xB9\0xD4\0x58\0x14\0x65\0x6E\0x02\0x70)
    • %PROGRAMFILES%\Emsisoft Internet Security\Quarantine
    • %PROGRAMFILES%\Emsisoft Anti-Malware\Quarantine
    • %DRIVE%:\EEK\Quarantine
27. eScan (c) MicroWorld Technologies Inc.: .vir files
    • %PROGRAMFILES%\eScan\INFECTED
28. ESET (c) ESET: .NDF files (magic "FQDF"/"EQDF") + .NAF files
    • %SYSTEM32%\config\systemprofile\AppData\Local\ESET\ESET NOD32 Antivirus\Quarantine
    • %SYSTEM32%\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine
    • %SYSTEM32%\config\systemprofile\AppData\Local\ESET\ESET Endpoint Antivirus\Quarantine
    • %LOCALAPPDATA%\ESET\ESET NOD32 Antivirus\Quarantine
    • %LOCALAPPDATA%\ESET\ESET Security\Quarantine
    • %LOCALAPPDATA%\ESET\ESET Endpoint Antivirus\Quarantine
    • %LOCALAPPDATA%\ESET\ESETOnlineScanner\Quarantine
29. FortiClient (c) Fortinet, Inc.: quarantine files (magic "QUARF")
    • %PROGRAMFILES%\Fortinet\FortiClient\quarantine
30. F-Prot (c) FRISK Software: quarantine files (magic "KSS")
    • %PROGRAMDATA%\FRISK Software\F-PROT Antivirus for Windows\fq
31. F-Secure (c) F-Secure: .qua files
    • %PROGRAMDATA%\Endpoint Protection SDK\quarantine
32. G Data (c) G DATA CyberDefense AG: .q files (magic \xCA\xFE\xBA\xBE)
    • %PROGRAMDATA%\G DATA\AVK\Quarantine
    • %PROGRAMDATA%\G DATA\AntiVirusKit Client\Quarantine
    • %PROGRAMDATA%\G DATA\AntiVirus ManagementServer\Quarantine
33. Gridinsoft Anti-Malware (c) Gridinsoft LLC: .info files + .zip files
    • %PROGRAMDATA%\GridinSoft\Anti-Malware\storage
34. Heimdal Next-Gen Antivirus (c) Heimdal
    • %PROGRAMDATA%\Microsoft\Windows Defender\Quarantine (not a mistake, Heimdal is actually using Windows Defender's quarantine)
35. HitmanPro (c) Sophos: quarantine.xml + GUID files [metadata only]
    • %PROGRAMDATA%\HitmanPro\Quarantine
36. Huawei HiSec Endpoint (c) Huawei Technologies Co., Ltd: quarantineDb.db + .QKYun files
    • %PROGRAMDATA%\EDR-Agent\Quarantine
37. Huorong Internet Security (c) Beijing Huorong Network Technology Co., Ltd.: QuarantineEx.db + quarantine files (magic "YPPY")
    • %PROGRAMDATA%\Huorong\Sysdiag\Quarantine
38. Intego (c) Intego: quarantine.dbiav + .iav files
    • %PROGRAMDATA%\Intego\quarantine
39. IObit Advanced SystemCare Ultimate (c) IObit: .dat files + .bdq files
    • %PROGRAMFILES%\IObit\Advanced SystemCare Ultimate\Antivirus\BackupRec
40. IObit Malware Fighter (c) IObit: .dat files + .bdq files
    • %PROGRAMFILES%\IObit\IObit Malware Fighter\Quarantine
41. K7 Antivirus (c) K7 Computing Pvt Ltd.: .qnt files (magic "K7Qt")
    • %PROGRAMDATA%\K7 Computing\K7TSecurity\K7AntiVirus\Quarantine
42. Kaspersky (c) AO Kaspersky Lab: .klq files (magic "KLQB")
    • %PROGRAMDATA%\Kaspersky Lab\%PRODUCTNAME%\QB
    • %PROGRAMDATA%\Kaspersky Lab\%PRODUCTNAME%\Quarantine
    • %PROGRAMDATA%\Kaspersky Lab\%PRODUCTNAME%\Backup
    • %DRIVE%:\KVRT2020_Data\Quarantine
43. Kingsoft Internet Security (c) Kingsoft Corporation: .KVQ files (magic "Kingsoft Virus Quarantine")
    • %DRIVE%:\KRECYCLE
44. Loaris Trojan Remover (c) Loaris Cybersecurity Inc.: .info files + .zip files
    • %PROGRAMDATA%\Loaris\Trojan Remover\storage
45. Malware Hunter (c) Glarysoft: .quq files
    • %DRIVE%:\$GlaryQuarantine
46. Malwarebytes (c) Malwarebytes: .data files + .quar files
    • %PROGRAMDATA%\Malwarebytes\MBAMService\Quarantine
    • %PROGRAMDATA%\Malwarebytes\Malwarebytes Anti-Malware\Quarantine
    • %PROGRAMDATA%\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine
    • %APPDATA%\Malwarebytes\MBAMService\Quarantine
    • %APPDATA%\Malwarebytes\Malwarebytes Anti-Malware\Quarantine
    • %APPDATA%\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine
47. McAfee (c) McAfee, LLC: .bup files (magic \0xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1)
    • %PROGRAMDATA%\McAfee\VirusScan\Quarantine
    • %DRIVE%:\QUARANTINE
48. Micropoint AntiVirus Software (c) Micropoint Corp.: mp100094.mpl + .dat files
    • %PROGRAMFILES%\MPAV\MP14
49. Microsoft Security Essentials (c) Microsoft
    • %PROGRAMDATA%\Microsoft\Microsoft Antimalware\Quarantine
50. mks_vir (c) mks_vir Sp. z o.o.: .aqv files
    • %PROGRAMDATA%\mks_vir\quarantine
51. NANO Antivirus (c) NANO Security: {9B7D1980-V004-*} files (magic \0x01\x0F\x13\xAE)
    • %PROGRAMDATA%\nanoav
52. NGAV (c) MSecure® Data Labs: .q files + .q00 files
    • %PROGRAMFILES%\NGAV Smart Security Anti-Malware\q
    • %PROGRAMFILES%\NGAV-NetGuardian\q
53. Norton (c) Gen Digital Inc.: .qbi files + .qbd files
    • %PROGRAMDATA%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\%VERSION%\QBackup
54. Norton 360 (c) Gen Digital Inc.: vault.db + .dat files, index.xml + data files
    • %DRIVE%:\$AV_NLL\$VAULT
    • %PROGRAMDATA%\Norton\Antivirus\$AV_NLL\$VAULT
    • %PROGRAMDATA%\Norton\Antivirus\chest
55. OmniDefender (c) OmniDefender: .json files + .zz files
    • %PROGRAMFILES%\OmniDefender\Quarantine
56. Panda (c) Panda Security: GUID files
    • %PROGRAMDATA%\Panda Security\Panda Security Protection\Quarantine
57. PC Doctor (c) MSecure® Data Labs: .q files + .q00 files
    • %PROGRAMDATA%\AVHome\Q
58. Priil Internet Security (c) Priil Ltd: Threats.json/threatinfo.json + .vir files, .info files + .qfile files
    • %PROGRAMDATA%\Priil Internet Security\QuarantiedFiles
59. Protegent (c) Unistal Systems Pvt. Ltd.: .q files + .q00 files
    • %PROGRAMDATA%\PGHome\Q
60. Quick Heal (c) Quick Heal Technologies Limited: quarfun.db + data files
    • %PROGRAMFILES%\Quick Heal\Quick Heal Total Security\QUARANTINE
    • %PROGRAMFILES%\Quick Heal\Quick Heal Internet Security\QUARANTINE
    • %PROGRAMFILES%\Quick Heal\Quick Heal AntiVirus Pro\QUARANTINE
    • %PROGRAMFILES%\Quick Heal\Quick Heal IS Essentials\QUARANTINE
61. REVE Antivirus (c) REVE Antivirus: .dat files + .bdq files
    • %PROGRAMDATA%\REVE Antivirus\Common\Quar
62. Rising Antivirus (c) Beijing Rising Information Technology Co., Ltd.: .bin files (magic \0x4D\0x65\0xBC\0x02)
    • %DRIVE%:\RavBin
63. SecureAPlus/CatchPulse (c) SecureAge Technology: AntiVirus.db + .qr2 files
    • %PROGRAMDATA%\SecureAge Technology\SecureAge\AntiVirus\Quarantine
64. Shield Antivirus (c) ShieldApps Software Innovations: .qua files
    • %PROGRAMDATA%\Endpoint Protection SDK\quarantine
65. SiriusGPT (c) VoodooSoft, LLC: quarantine.db + .gpt files
    • %PROGRAMDATA%\SiriusGPT\Quarantine
66. SiyanoAV (c) Siyano Labs Pvt. Ltd.: Threats.json/threatinfo.json + .info files + .qfile files
    • %PROGRAMDATA%\SiyanoAV Antivirus Pro\QuarantiedFiles
    • %PROGRAMDATA%\SiyanoAV Internet Security\QuarantiedFiles
    • %PROGRAMDATA%\SiyanoAV Total Security\QuarantiedFiles
67. SMADAV (c) Smadsoft: .dav files (magic "Dav!")
    • %DRIVE%:\[Smad-Cage]
68. Spy Emergency (c) NETGATE Technologies s.r.o.: .ifc files
    • %APPDATA%\Spy Emergency\Cage
69. Spybot - Search & Destroy (c) Safer-Networking Ltd.: .zip files
    • %PROGRAMDATA%\Spybot - Search & Destroy\Quarantine
70. SUPERAntiSpyware (c) RealDefense LLC: quarantine.db
    • %APPDATA%\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine
71. Symantec (c) Broadcom: .vbn files
    • %PROGRAMDATA%\Symantec\Symantec Endpoint Protection\%VERSION%\Data\Quarantine
72. Systweak Antivirus (c) Systweak Software: .qua files
    • %PROGRAMDATA%\Systweak\Systweak Antivirus\Endpoint Protection SDK\quarantine
73. T9 Antivirus (c) Tweaking Technologies: .qua files
    • %PROGRAMDATA%\Tweaking\T9 Antivirus\Endpoint Protection SDK\quarantine
74. TACHYON Internet Security (c) INCA Internet Corporation: Name_GUID files
    • %PROGRAMDATA%\TACHYON\T6\quarantine\Backup
    • %PROGRAMFILES%\Common Files\TACHYON\T5\Quarantine\Backup
75. Tencent PC Manager (c) Tencent: virusclean.db + data files
    • %PROGRAMDATA%\Tencent\QQPCMgr\Quarantine
76. Total Defence (c) Total Defense LLC: .dat files + .bdq files
    • %PROGRAMFILES%\TotalDefense\Suite\Anti-Virus\Quarantine
77. TotalAV (c) Total Security US LLC: .qh files + .dat files
    • %PROGRAMDATA%\SecuritySuite\Quarantine
78. Trellix Stinger (c) Musarubra US LLC: .zip files
    • %DRIVE%:\Quarantine\Stinger\quarantine
79. Trend Micro (c) Trend Micro Incorporated: quarantine files (magic \0xA9\0xAC\0xBD\0xA7)
    • %PROGRAMDATA%\Trend Micro\AMSP\quarantine
    • %PROGRAMFILES%\Trend Micro\HouseCall\log
80. Twister Antivirus (c) Filseclab Corporation: .TBI files (magic "Twister Quarantine File")
    • %PROGRAMFILES%\Filseclab\Twister\quarantine
81. Vipre (c) VIPRE Security Group, Inc.: QR{GUID}NNNNNNNN.xml files + {GUID}_ENC2 files + .dat files + .bdq files
    • %PROGRAMDATA%\VIPRE\Quarantine
82. Vir.IT eXplorer (c) TG Soft S.r.l.: .lst files + .cr2 files
    • %PROGRAMDATA%\viritlite\BACKUP
83. ViRobot Security (c) Hauri, Inc.: .vsq files
    • %PROGRAMDATA%\Hauri\ViRobot Security\Backup
84. VirusChaser (c) SGA EPS Co., Ltd.: VC90.db/VC100.db + .vir files
    • %PROGRAMFILES%\Virus Chaser\VC90\Backup
    • %PROGRAMFILES%\Virus Chaser\VC100\VCBack\VirBack
85. VIRUSfighter/SPYWAREfighter (c) SPAMfighter: data files
    • %PROGRAMDATA%\Common Toolkit Suite\AVEngine\Quarantine
86. Watchdog Anti-Malware (c) Watchdog Development: info + file
    • %LOCALAPPDATA%\WAMSDK\Quarantine
87. Watchdog Anti-Virus (c) Watchdog Development: info.json + file
    • %LOCALAPPDATA%\WSDK\Quarantine
88. Webroot (c) Open Text Corporation: dbl.db + .dat files
    • %PROGRAMDATA%\WRData\qrnexl
89. Windows Defender (c) Microsoft
    • %PROGRAMDATA%\Microsoft\Windows Defender\Quarantine
90. WinZip Malware Protector (c) WinZip Computing: QDetail.db + ._qt_ files
    • %APPDATA%\Nico Mak Computing\WinZip Malware Protector\Quarantine
91. WiseVector StopX (c) Beijing Zhilang Technology Co., Ltd.
    • %PROGRAMFILES%\WiseVector\qua
92. X-Sec Malware Scanner (c) X-Sec: .bin files
    • %DRIVE%:\X-Sec_Malware_Scanner_x64\Quarantine
    • %DRIVE%:\X-Sec_Malware_Scanner_x86\Quarantine
93. Xvirus Anti-Malware (c) Xvirus: quarantinedata.xdb + .infected files
    • %PROGRAMFILES%\Xvirus Anti-Malware\quarantine
94. Zillya (c) ALLIT Service LLC.: .avqr files (magic "ZAVQUAR", "ZISQUAR", "ZTSQUAR"), .zqr files (magic "ZAVQUAR")
    • %DRIVE%:\ZAV.QUAR
    • %DRIVE%:\ZIL.QUAR
    • %DRIVE%:\ZIS.QUAR
    • %DRIVE%:\ZTS.QUAR
95. ZoneAlarm (c) Check Point: GUID files
    • %PROGRAMDATA%\CheckPoint\Endpoint Security\Remediation\Quarantine

FAQ

Q: Why is the list of supported antiviruses so short, and why is [Antivirus Name] not on it?
A: Several factors limit the list:

1. Encryption: The vast majority of modern antiviruses use strong encryption for quarantined files. Recent encryption methods have become too complex for reliable decryption without official documentation.
2. Technical Complexity: Full reverse-engineering of proprietary quarantine formats requires significant expertise and time, which is not always feasible.
3. Availability: Some antiviruses do not offer a trial version for testing, and corporate-grade security products are generally inaccessible for development purposes.

Q: What does the note "[metadata only]" mean?
A: This note indicates that the quarantine's encryption method is currently unknown. The utility can only extract an object's metadata but not the original file.

Q: My antivirus [Antivirus Name] stores its quarantine in [Dir Name], but this path is not in your list, and the utility cannot find it. How can I fix this?
A: The default search paths may not cover all possible custom installations. Please email me the details of your setup (antivirus name, version, and full path to the quarantine folder), and I will add this directory to the search list in the next update.

Q: Why does Dr.Web quarantine appear as three separate items (Dr.Web, Dr.Web (V1), Dr.Web (V2))? What's the difference between them?
A: DrWeb uses two different encryption methods for its quarantine files. The correct method cannot be determined from the quarantine file structure alone - it requires heuristic analysis. To give you full control in case the heuristics fail, unQuar displays three options:

1. Dr.Web - automatically selects the encryption method based on heuristics (recommended for most cases)
2. Dr.Web (V1) - forces the first encryption method
3. Dr.Web (V2) - forces the second encryption method

If the heuristic detection fails (e.g., the quarantine shows garbled or unreadable data), try opening the same quarantine using DrWeb (V1) or DrWeb (V2) manually. One of them should decode the contents correctly.

Q: Why does Comodo quarantine appear as three separate items (Comodo, Comodo x64, Comodo x86)? What's the difference between them?
A: Comodo uses different encryption keys for its 32-bit (x86) and 64-bit (x64) versions. The encryption key cannot be determined from the quarantine file structure alone - it requires heuristic analysis. To give you full control in case the heuristics fail, unQuar displays three options:

1. Comodo - automatically selects the encryption key based on heuristics (recommended for most cases)
2. Comodo x64 - forces decryption using the x64 key
3. Comodo x86 - forces decryption using the x86 key

If the heuristic detection fails (e.g., the quarantine shows garbled or unreadable data), try opening the same quarantine using Comodo x64 or Comodo x86 manually. One of them should decode the contents correctly.

Q: I know the quarantine format/encryption method for [Antivirus Name]. If I share this information, can you add full support for it to the utility?
A: Yes, absolutely. I welcome community contributions. If you can provide a detailed description, and especially sample files (if possible), please contact me via email. I will be glad to implement full support for that quarantine in a future release.

Contacts

You can contact me by email at da[@]unquar[.]com.

unQuar (c) Denis Anisimov 2026