If there is one proof that online collaboration works it is DeXRAY. Since the tool was first released it received quite a bit of attention from the DFIR community. Every once in a while I get not only a positive feedback from the users, but also very important contributing ideas and code offered by security researchers and professionals.

This release is not different.

A few days ago I was pinged by Luis Rocha (@countuponsec) who generously offered his insight and results of his and Antonio Monaca’s research on Kaspersky’s System Watcher feature (available in KES10) that quarantines files in the following location:

• C:\ProgramData\Kaspersky Lab\KES10\SysWHist\file_cache\<md5>.bin

Luis discovered that the files are encrypted with a static XOR key 397b4d58c9397b4d58c9.

Based on his research I have quickly implemented a routine in Dexray to decrypt these files.

Thanks Luis and Antonio!

You can download the latest version here.

The full list of supported or recognized file formats is listed below:

• AhnLab (V3B)
• ASquared (EQF)
• Avast (Magic@0=’-chest- ‘)
• Avira (QUA)
• Baidu (QV)
• BitDefender (BDQ)
• BullGuard (Q)
• CMC Antivirus (CMC)
• Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
• ESafe (VIR)
• ESET (NQF)
• F-Prot (TMP) (Magic@0=’KSS’)
• Kaspersky (KLQ, System Watcher’s <md5>.bin)
• Lavasoft AdAware (BDQ) /BitDefender files really/
• Lumension LEMSS (lqf)
• MalwareBytes Data files (DATA) – 2 versions
• MalwareBytes Quarantine files (QUAR) – 2 versions
• McAfee Quarantine files (BUP) /full support for OLE format/
• Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
• Panda <GUID> Zip files
• Spybot – Search & Destroy 2 ‘recovery’
• SUPERAntiSpyware (SDB)
• Symantec ccSubSdk files: {GUID} files and submissions.idx
• Symantec Quarantine Data files (QBD)
• Symantec Quarantine files (VBN)
• Symantec Quarantine Index files (QBI)
• Symantec Quarantine files on MAC (quarantine.qtn)
• TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
• QuickHeal <hash> files
• Vipre (<GUID>_ENC2)
• Zemana <hash> files+quarantine.db
• Any binary file (using X-RAY scanning)