Thread: Kaspersky Rescue Disk Report - can't see full paths
View Single Post
  #4  
Old June 6th 19, 01:19 AM posted to alt.comp.hardware.pc-homebuilt,alt.comp.anti-virus,alt.computer.security
Apd
external usenet poster
  
Posts: 4
Default Kaspersky Rescue Disk Report - can't see full paths
"Paul" wrote:
When you look at the klr.enc1 files, what's the first
thing you notice ? There's a couple of groups of 0xCF hex
bytes. "Real" encryption would have high entropy.
This smells funny...

CF CF CF CF CF CF CF CF CF CF CF CF

It smells like spaces!

XOR the base64 with 0xEF and you have plain text with a single
linefeed terminating each line. It's an XML report. Here's a line from
your second example, krdeicar.txt (wrapped for ease of reading):

Event1 Action="Detect" Time="132042218823887019"
"
Info="EICAR-Test-File" /