Category Archives: DeXRAY

DeXRAY 2.16 update

Posted on by

I was recently contacted by Dodge This Security who noticed that DeXRAY is struggling with some of his SEP Quarantine files. I was able to fix a code path that was misbehaving and in the end updated the tool to v2.16.
While it is a minor tweak, it’s always good to have the most up to date version at hand.

You can find the latest version of DeXRAY here.

If you come across files that DeXRAY cannot decrypt please let me know.

DeXRAY 2.15 update

Posted on by

I have added full support for Windows Defender files.

Now it processes both metadata files and content files. So if you run it on the whole folder you should get a decryption working properly for all files.

Note, I am still not sure how to parse the metadata files; it’s pretty complex – try to generate a quarantine file that includes registry data and you will know what I mean when you see the decrypted quarantined metadata files (that was quite a mouthful :).

You can find the latest version of DeXRAY here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s <md5>.bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Antimalware / Microsoft Security Essentials
  • Microsoft Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 metadata + 0B AD malicious content
  • Panda <GUID> Zip files
  • Sentinel One (MAL)
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN), including from SEP on Linux
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)