How to collect quarantined files using Quarantine Dumper Tool - WithSecure Community
<main>
<article class="userContent">
<h3 data-version="8" data-article="000002484" data-id="issue">Issue:</h3>
<p>How to collect the quarantined files on an affected Windows machine using F-Secure/WithSecure Quarantine Dumper, and then submit the files for analysis. </p>
<h3 data-id="resolution">Resolution:</h3>
<p>Collect quarantined files using F-Secure/WithSecure Quarantine Dumper by following the instructions below:<br></p><ol><li>Click on this link to download <a rel="nofollow" href="https://download.f-secure.com/support/tools/fsdumpqrt/fsdumpqrt.exe">F-Secure Quarantine Dumper</a> to a location of your choice, for example, c:\temp.</li><li>Launch Command Prompt (CMD).</li><li>Navigate the directory to the location you selected in step 1. For example, type cd c:\temp\ and press <b>Enter </b>on your keyboard to go to c:\temp\ folder.</li><li>Type fsdumpqrt.exe -d c:\temp\ to run the tool.</li><li>Enter your administrator credentials when prompted. F-Secure license terms are now shown.</li><li>Scroll all the way to the end of the license terms before you can accept them.</li><li>Press <b>E</b> on your keyboard to accept the license terms.</li><li>Press any key to complete the run. The quarantined files will be collected in a file named <b>malware_samples.zip</b> with the default password (infected) in the location you specified in step 1. </li></ol>
These are the parameters that can be used in the tool:
<ul><li>-d, --destination: Destination directory for output (default: current admin desktop)</li><li>-p, --password: Password for output (default: "infected")</li><li>-v, --verbose: Verbose output</li><li>-a, --accept-eula: Accept EULA</li><li>-s, --silent: Silent mode</li><li>-l, --list: Only list contents, nothing is written to disk</li></ul><b>Tip:</b> Running the fsdumpqrt.exe tool in command prompt without additional command line parameters will print out a short tool description and the extra parameters for using the tool.<br>
<p>Article no: 000002484</p>
</article>
</main>