From c4413f9d5834bdf0b8cb1c5ffd64e0d082239fd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vojt=C4=9Bch=20Jel=C3=ADnek?= Date: Wed, 4 Feb 2026 09:02:40 +0100 Subject: [PATCH] Update eset_parser.py Parse quarfiles from programdata --- maldump/parsers/eset_parser.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/maldump/parsers/eset_parser.py b/maldump/parsers/eset_parser.py index 9384bb6..0649e75 100644 --- a/maldump/parsers/eset_parser.py +++ b/maldump/parsers/eset_parser.py @@ -131,9 +131,12 @@ def _decrypt(self, data: bytes) -> bytes: @log.log(lgr=logger) def _get_malfile(self, username: str, sha1: str) -> bytes: - quarfile = self.quarpath.format(username=username) - quarfile = Path(quarfile) / (sha1.upper() + ".NQF") - + if username == "ProgramData": + quarfile = Path("ProgramData/ESET/ESET Security/Quarantine/") / (sha1.upper() + ".NQF") + else: + quarfile = self.quarpath.format(username=username) + quarfile = Path(quarfile) / (sha1.upper() + ".NQF") + data = read.contents(quarfile, filetype="malware") if data is None: return b"" @@ -183,7 +186,8 @@ def parse_from_fs( actual_path = Path("Users/") for idx, entry in enumerate( - actual_path.glob("*/AppData/Local/ESET/ESET Security/Quarantine/*.NQF") + list(actual_path.glob("*/AppData/Local/ESET/ESET Security/Quarantine/*.NQF")) + + list(Path("ProgramData/").glob("ESET/ESET Security/Quarantine/*.NQF")) ): logger.debug('Parsing entry, idx %s, path "%s"', idx, entry) res_path = re.match(self.regex_entry, entry.name) @@ -195,7 +199,7 @@ def parse_from_fs( ) continue - user = res_user.group(1) + user = res_user.group(1) if res_user else "ProgramData" objhash = res_path.group(1) if (objhash.lower(), user) in data: