cancel
Showing results for 
Search instead for 
Did you mean: 
mjmurra
Level 12
Report Inappropriate Content
Message 1 of 5

Tool for handling quarantine files?

Jump to solution

Sometimes I want to handle the BUP quarantine files (eg to submit to McAfee or a virus service).

I think they're XOR'd (or something similar and simple) along with some header data.

Has anyone developed a tool to extract these files from the BUP? The only other method is "restoring" it from quarantine - hardly the best method as other fragments (such as autorun registry keys are restored at the same time).

1 Solution

Accepted Solutions
Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Tool for handling quarantine files?

Jump to solution

Hi mjmurra,

mjmurra wrote:

Sometimes I want to handle the BUP quarantine files (eg to submit to McAfee or a virus service).

I think they're XOR'd (or something similar and simple) along with some header data.

Has anyone developed a tool to extract these files from the BUP? The only other method is "restoring" it from quarantine - hardly the best method as other fragments (such as autorun registry keys are restored at the same time).

This was addressed in earlier posts:

xplorr: https://community.mcafee.com/message/202895#202895

sgrimmel: https://community.mcafee.com/message/203239#203239

KB72755: https://mysupport.mcafee.com/Eservice/templatepage.aspx?sURL=3&pl=0

KB72755:

Corporate KnowledgeBase

How to restore a quarantined file not listed in the VSE Quarantine Manager

Corporate KnowledgeBase ID:              KB72755

Last Modified:              September 12, 2011

Environment

McAfee VirusScan Enterprise 8.x McAfee VirusScan Enterprise Quarantine Manager component

Summary

There may be circumstances where a quarantined file is deleted by VirusScan Enterprise (VSE) before you realize the file needs to be preserved. This could be for submission to McAfee Labs for instance.  While you may be able to restore the .BUP file to C:\Quarantine\, the Quarantine Manager will no longer show the quarantined file. Therefore, it cannot be restored using the Quarantine Manager.  This article explains how to manually extract information from .BUP files not listed in Quarantine Manager.

Solution

To extract files from Quarantine (.BUP) files:

     Using Windows Explorer, create a temporary folder. In this example: C:\SAVE-BUP

     Download the 7-Zip file compression utility from http://www.7-zip.org/.

     Install the 7-Zip utility and extract the following two files from the .BUP file to C:\SAVE-BUP

     Details

         File_0  To decrypt files contained in .BUP files:

        Download the XOR utility from http://www.softpedia.com/get/Programming/Other-Programming-Files/Xor.shtml.

        Extract xor.zip to C:\SAVE-BUP.

        Click Start, Run, type cmd, and press ENTER.

        Type cd  \SAVE-BUP and press ENTER.

        Type xor.exe  File_0 file_0.xor  0X6A and press ENTER.

        Type xor.exe  Details Details.txt  0X6A and press ENTER.

        NOTE: 0x6A is the encryption key used.

        Rename File_0.xor to the original name found in the Details file.

Related Information For more information on the 7-ZIP file compression utility, see KB72766.

Hopefully this gives you enough info to extract the files for submission to McAfee.

Post back if you need more.

Have fun.

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
4 Replies

Re: Tool for handling quarantine files?

Jump to solution

McAfee has tool named FileInsight - using this tool you are able to get original file (unzip then XOR).

Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Tool for handling quarantine files?

Jump to solution

Hi mjmurra,

mjmurra wrote:

Sometimes I want to handle the BUP quarantine files (eg to submit to McAfee or a virus service).

I think they're XOR'd (or something similar and simple) along with some header data.

Has anyone developed a tool to extract these files from the BUP? The only other method is "restoring" it from quarantine - hardly the best method as other fragments (such as autorun registry keys are restored at the same time).

This was addressed in earlier posts:

xplorr: https://community.mcafee.com/message/202895#202895

sgrimmel: https://community.mcafee.com/message/203239#203239

KB72755: https://mysupport.mcafee.com/Eservice/templatepage.aspx?sURL=3&pl=0

KB72755:

Corporate KnowledgeBase

How to restore a quarantined file not listed in the VSE Quarantine Manager

Corporate KnowledgeBase ID:              KB72755

Last Modified:              September 12, 2011

Environment

McAfee VirusScan Enterprise 8.x McAfee VirusScan Enterprise Quarantine Manager component

Summary

There may be circumstances where a quarantined file is deleted by VirusScan Enterprise (VSE) before you realize the file needs to be preserved. This could be for submission to McAfee Labs for instance.  While you may be able to restore the .BUP file to C:\Quarantine\, the Quarantine Manager will no longer show the quarantined file. Therefore, it cannot be restored using the Quarantine Manager.  This article explains how to manually extract information from .BUP files not listed in Quarantine Manager.

Solution

To extract files from Quarantine (.BUP) files:

     Using Windows Explorer, create a temporary folder. In this example: C:\SAVE-BUP

     Download the 7-Zip file compression utility from http://www.7-zip.org/.

     Install the 7-Zip utility and extract the following two files from the .BUP file to C:\SAVE-BUP

     Details

         File_0  To decrypt files contained in .BUP files:

        Download the XOR utility from http://www.softpedia.com/get/Programming/Other-Programming-Files/Xor.shtml.

        Extract xor.zip to C:\SAVE-BUP.

        Click Start, Run, type cmd, and press ENTER.

        Type cd  \SAVE-BUP and press ENTER.

        Type xor.exe  File_0 file_0.xor  0X6A and press ENTER.

        Type xor.exe  Details Details.txt  0X6A and press ENTER.

        NOTE: 0x6A is the encryption key used.

        Rename File_0.xor to the original name found in the Details file.

Related Information For more information on the 7-ZIP file compression utility, see KB72766.

Hopefully this gives you enough info to extract the files for submission to McAfee.

Post back if you need more.

Have fun.

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
mjmurra
Level 12
Report Inappropriate Content
Message 4 of 5

Re: Tool for handling quarantine files?

Jump to solution

Thanks for the info

Highlighted

Re: Tool for handling quarantine files?

Jump to solution

hi there...

I have wrote a nice extraction tool for your use,its gui based c# (  ull need the dot net 4 framework ).

just choose the bup file and a destination folder and the tool will extract the tow files ,  check the details file for the right name and extension.

and xor the malware to the new folder.

you Download the Tool  HERE .

Just unnzip and run setup.exe

enjoy.

check out my BLOG for updates on security stuff and more tools (some of the stuff is in hebrew so use google translate-).

some screenshot:

2.png

Message was edited by: coopert on 4/14/12 7:50:44 AM CDT

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.