I was contacted about a problem DeXRAY had decrypting new Quarantine files produced by MBAM so I ended up updating the decryption routine to handle this case as well. When you decrypt files produced by MBAM you should now get two sets of decrypted files – each decrypted using a different method.
If you are lucky, you should be able to recover the files for analysis 🙂
You can download the latest version here.
The full list of supported or recognized file formats is listed below:
- AhnLab (V3B)
- ASquared (EQF)
- Avast (Magic@0=’-chest- ‘)
- Avira (QUA)
- Baidu (QV)
- BitDefender (BDQ)
- BullGuard (Q)
- CMC Antivirus (CMC)
- Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
- ESafe (VIR)
- ESET (NQF)
- F-Prot (TMP) (Magic@0=’KSS’)
- Kaspersky (KLQ)
- Lavasoft AdAware (BDQ) /BitDefender files really/
- Lumension LEMSS (lqf)
- MalwareBytes Data files (DATA) – 2 versions
- MalwareBytes Quarantine files (QUAR) – 2 versions
- McAfee Quarantine files (BUP) /full support for OLE format/
- Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
- Panda <GUID> Zip files
- Spybot – Search & Destroy 2 ‘recovery’
- SUPERAntiSpyware (SDB)
- Symantec ccSubSdk files: {GUID} files and submissions.idx
- Symantec Quarantine Data files (QBD)
- Symantec Quarantine files (VBN)
- Symantec Quarantine Index files (QBI)
- Symantec Quarantine files on MAC (quarantine.qtn)
- TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
- QuickHeal <hash> files
- Vipre (<GUID>_ENC2)
- Zemana <hash> files+quarantine.db
- Any binary file (using X-RAY scanning)
