DeXRAY now supports over twenty Quarantine filetypes. I set a goal to look at one AV per day, unless I am busy with other stuff. So far, the results are kinda predictable: the most difficult to access with a debugger / crack / analyze are Chinese, Russian, and… Microsoft. The rest of the files took between 2 minutes to 2h of work max. It’s a great reversing experience as it’s heavily time-sensitive research (I want to crack it in one session), and at the same time I am learning about many pointers which I can use for further research and study. The guys @ProjectZero are unfortunately right. The moment you start looking at AV internals you discover lots of juicy stuff. Ouch. I strongly believe the AV is _needed_ in a current ‘open ecosystem’ setup existing in most of the companies, but it’s time AV vendors really review their code.

Anyway…

I have added support for Baidu .qv, CMC Antivirus *.cmc, and F-Prot .tmp Quarantine files. Confirmed Lavasoft AdAware  to be using BitDefender’s Quarantine files (.bdq), confirmed Comodo stores Quarantine files w/o encryption 🙂

The full list of supported or recognized file formats is listed below:

• AhnLab (V3B)
• ASquared (EQF)
• Avast (Magic@0=’-chest- ‘)
• Avira (QUA)
• Baidu (QV)
• BitDefender (BDQ)
• CMC Antivirus (CMC)
• Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
• ESET (NQF)
• F-Prot (TMP) (Magic@0=’KSS’)
• Kaspersky (KLQ)
• Lavasoft AdAware (BDQ) /BitDefender files really/
• MalwareBytes Data files (DATA)
• MalwareBytes Quarantine files (QUAR)
• McAfee Quarantine files (BUP)
• Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – not handled yet; only recognized
• Panda <GUID> Zip files
• SUPERAntiSpyware (SDB)
• Symantec Quarantine Data files (QBD)
• Symantec Quarantine files (VBN)
• Symantec Quarantine Index files (QBI)
• TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF)
• QuickHeal <hash> files
• Vipre (<GUID>_ENC2)
• Any binary file (using X-RAY scanning)

The script can be downloaded here.