defender-dump

Dump quarantined files from Windows Defender

Description

Forensically list and extract quarantined files from a mounted disk. Extracted files are put into a tar archive in order to prevent accidental triggering of Defender Real-time protection.

Update: for a more robust version supporting multiple AVs see maldump

Usage

On Windows

List quarantine files located on disk C

> python3 defender-dump.py C:\

Dump quarantine files from disk C into archive quarantine.tar

> python3 defender-dump.py C:\ --dump

List quarantine files located on disk G, mounted with FTK Imager using the File System/Read Only method

> python3 defender-dump.py G:\[root]\

On Linux

List quarantine files from a mounted windows partition on /mnt/win

> ./defender-dump.py /mnt/win

Limitation

The script will list and export only entries of the type "FILE". Any other types (like Registry) are not yet supported.

License

MIT

Name		Name	Last commit message	Last commit date
Latest commit History 13 Commits
README.md		README.md
defender-dump.py		defender-dump.py
demo.gif		demo.gif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

defender-dump

Description

Usage

On Windows

On Linux

Limitation

License

About

Releases

Packages

Contributors 2

Languages

knez/defender-dump

Folders and files

Latest commit

History

Repository files navigation

defender-dump

Description

Usage

On Windows

On Linux

Limitation

License

About

Topics

Resources

Stars

Watchers

Forks

Releases

Packages 0

Contributors 2

Languages

Packages