Symantec AntiVirus VBN Files

Symantec AntiVirus Corporate Edition 8.1, and other versions, places quarantined files in its quarantine directory as .VBN files. The VBN extension stands for "Virus Bin". The contents of the VBN file can be restored using the QExtract utility from Symantec.

QExtract can be found on the Symantec AntiVirus Corporate Edition 8.0 or 8.1 CD 1 of 2 in \TOOLS\NOSUPRT\QEXTRACT. You will find QEXTRACT.EXE and QEXTRACT.PDF there.

Usage Information


G:\>qextract

Usage:  QExtract /vbn: /file:

 - eg.  33850000.VBN

 - the fullpath of target file (include filename).

/? for this help

You, unfortunately, can not specify the path for the VBN file, only the filename. The utility will always expect to find the file in Symantec AntiVirus' default location, which is C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine. This is the default directory even if you are using version 8.0 or 8.1, i.e. the directory path contains 7.5 even with later versions of the software. You will have that path even on a system where you never had version 7.5 of Symantec AntiVirus Corporate Edition installed, but only later versions.

So if you want to use qextract.exe on a system where you don't have the Symantec AntiVirus software installed, you will need to create that path and place the VBN files there in order for QExtract to work. Otherwise you will get a message similar to the one below:

qextract /vbn:12840000.VBN /file:c:\DWH3A75.TMP /file:us_girls.zip
Extraction failed: target file may already exist.

The "target file may already exist" message is misleading; the problem is that the VBN file doesn't exist in the directory where QExtract is expecting it. It won't help to specify the directory where you've placed the VBN file, QExtract expects the file to be in the default location.

If it finds the specified VBN file in the default location, you will see a message such as shown below:

C:\>qextract /vbn:04040000.VBN /file:.\JBCPM31B.dll
Extraction successful.

If you want to know what the original file name is for the file encapsulated in the VBN file, you can open the VBN file with any editor, such as Notepad. You will see something like the following near the top of the file (note: the first line of the file is not the line containing the original location and file name for the encapsulated file):

260204092E20,5,1,2,CRYSTAL,SYSTEM,W32.Stration@mm,C:\WINDOWS\TEMP\DWH3A75.TMP,5,1,1,256,20548,"",0,,0,,310640640,53398,0,1,0,0,0,0,,0,2,4,0,,{31CA7CFF-C7E2-418A-B725-F1713FD852FC},,,,,,

In the above example, "Crystal" is the name of the system on which the virus was quarantined. Symantec Antivirus identified the virus as "Stration@mm" and the original file that was quarantined was C:\WINDOWS\TEMP\DWH3A75.TMP.

You can place the VBN file in the quarantine directory, if it isn't already there. Note: If you can't locate the C:\Documents and Settings\All Users\Application Data directory, make sure you have turned on the display of hidden files and folders in the Windows Explorer (see View Hidden and System Files). Once you have the VBN file in the appropriate directory, you can use the following command to extract the file from the VBN file into the current directory:

C:\Temp>qextract /vbn:12840000.VBN /file:.\DWH3A75.TMP
Extraction successful.

Note: you have to specify the full directory path to be used for the extraction. You can specify the current working directory be used with .\. If you just enter the filename after /file:, you will get an error message indicating the file already exists, though it does not exist.

C:\temp>qextract /vbn:12840000.VBN /file:DWH3A75.TMP
Extraction failed: target file may already exist.

I sometimes want to move an infected file to another system for further analysis. I may not want to restore the file on the system on which it was quarantined, because I don't want to risk reinfecting that system or don't want Symantec AntiVirus to immediately quarantine it again, if I try to move it to a USB thumb drive to transfer the file to another system. I can transfer the VBN file and then use the qextract.exe utility on another system, which doesn't have Symantec AntiVirus to extract the contents of the VBN file for further analysis.

References:

  1. What are .vbn files?
    Document ID: 2000060210325448
    Last Modified: 02/03/2005
    Date Created: 06/02/2000
    Operating System(s): Windows NT 4.0, NetWare 3x, NetWare 4x, NetWare 5x
    Product(s): Norton AntiVirus Corporate Edition 7.0, Symantec AntiVirus Corporate Edition 8.0
    Release(s): NAVCE 7.5x [All Releases], NAVCE 7.6 [All Releases], SAV 8.0 [All Releases]
    Symantec Corporation