I got some time yesterday to look at Avast quarantined files and ended up adding support for them to DeXRAY.
The Avast Qurantined files are easy to recognize as they have the ‘-chest- ‘ signature at the top of each file:
The full list of supported or recognized file formats is listed below:
- ASquared (EQF)
- Avast (Magic@0=’-chest- ‘)
- ESET (NQF)
- Kaspersky (KLQ) – based on the code by Optiv
- MalwareBytes Data files (DATA)
- MalwareBytes Quarantine files (QUAR)
- McAfee Quarantine files (BUP) – not perfect, but it should still help
- Microsoft Forefront (Magic@0=0B AD) – not handled yet; only recognized
- SUPERAntiSpyware (SDB)
- Symantec Quarantine Data files (QBD)
- Symantec Quarantine files (VBN) – not perfect, but it should still help
- Symantec Quarantine Index files (QBI)
- TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF) – based on the code by Optiv
- Any binary file (using X-RAY scanning)
The script can be downloaded here.