I was recently contacted by Oskar who had a problem decrypting Defender for Mac Quarantine files. After quick investigations we discovered that the encrypted file doesn’t really conform to any specific file format (no magic bytes, etc.) which resulted in me updating DeXRAY’s code to handle these files ‘naively’ i.e. ‘decrypt everything if a file name looks like Mac Deender Quarantine file name’… and.. it seems to work.
Thanks Oskar!
Download the latest version here.
This is a post that should have appeared here at least 10 years ago.
There is an enigmatic Registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll
that I came across many times before. The problem is that I, frankly, don’t know when it is being used, but it’s yet another location to keep an eye on, in case the default DLL file name has been replaced.
The wininet.dll library is using this location internally in its P2P_PEER_DIST_API::LoadPeerDist function.
Yes, I am not making it any clearer…