I have added full support for Windows Defender files.
Now it processes both metadata files and content files. So if you run it on the whole folder you should get a decryption working properly for all files.
Note, I am still not sure how to parse the metadata files; it’s pretty complex – try to generate a quarantine file that includes registry data and you will know what I mean when you see the decrypted quarantined metadata files (that was quite a mouthful :).
You can find the latest version of DeXRAY here.
The full list of supported or recognized file formats is listed below:
- AhnLab (V3B)
- ASquared (EQF)
- Avast (Magic@0=’-chest- ‘)
- Avira (QUA)
- Baidu (QV)
- BitDefender (BDQ)
- BullGuard (Q)
- CMC Antivirus (CMC)
- Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
- ESafe (VIR)
- ESET (NQF)
- F-Prot (TMP) (Magic@0=’KSS’)
- Kaspersky (KLQ, System Watcher’s <md5>.bin)
- Lavasoft AdAware (BDQ) /BitDefender files really/
- Lumension LEMSS (lqf)
- MalwareBytes Data files (DATA) – 2 versions
- MalwareBytes Quarantine files (QUAR) – 2 versions
- McAfee Quarantine files (BUP) /full support for OLE format/
- Microsoft Antimalware / Microsoft Security Essentials
- Microsoft Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 metadata + 0B AD malicious content
- Panda <GUID> Zip files
- Sentinel One (MAL)
- Spybot – Search & Destroy 2 ‘recovery’
- SUPERAntiSpyware (SDB)
- Symantec ccSubSdk files: {GUID} files and submissions.idx
- Symantec Quarantine Data files (QBD)
- Symantec Quarantine files (VBN), including from SEP on Linux
- Symantec Quarantine Index files (QBI)
- Symantec Quarantine files on MAC (quarantine.qtn)
- TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
- QuickHeal <hash> files
- Vipre (<GUID>_ENC2)
- Zemana <hash> files+quarantine.db
- Any binary file (using X-RAY scanning)
