Ok, thanks for the information, as the file is on a LUN that will not be possible.

After some research, I am able to recover quarantined files with this procedure. Perhaps someone could write a program or script to automate this:

Howto Recover McAfee .BUP Quarantine Files:

Use 7Zip to Extract 2 files from the .BUP file called Details and File_0 (7Zip can be found here: http://www.7-zip.org/)

XOR both files by the key “0x6A” (Stupid protection) with the program called XOR.exe:

(http://www.softpedia.com/get/Programming/Other-Programming-Files/Xor.shtml)

> xor.exe File_0 file_0.xor 0X6A

> xor.exe Details Details.txt 0X6A

Rename File_0.xor to Original name found in Details.txt

Be carefull with the virus!

Hi Regis,

   I completly agree a standalone tool to recover BUP files would be a great idea!

so far McAfee Knowledge database provide a way to recover using 7zip and xor,

I decided to provide a standalone tool (with source code so you can modify it for your own need)

The tool aims to browse a folder with ~100 BUP files (if you put more files processing time could be pretty long)

this tool will help you to list original files names and recover them after you selected wich one you really want.

It also give you the name of virus McAfee found.

Be sure to disable your antivirus while recover process, else file would be quarantined again.

project is available under github, under GPL v3 licence

https://github.com/qiaozhou/BUP_Extractor

binary version for windows 7 (windows XP need people to give a try)

http://sourceforge.net/projects/bupextractor/files/BUPextractor_20120530.zip/download

unzip to folder, then run "Main_BUPextractor.exe"

I hope this tool can be helpfull, I am not responsible for any data loss, please before using it, do a backup of your BUP files.

Best regards,

                       Joe

The other thing that's great about having this capability is that one of the files that comes out the the BUP unpacking from 7-zip is the Details file.  The details file gives you original file timestamps of the malware.  This can be an important clue to inferring time of infection potentially if your malware was detected in an on demand scan versus an on access scan.   I've been wanting to know how to get at that file timestamp information for freaking EVER and am thrilled to be able to get to it now.  Both File_0 and Details   are xor'd with 6A.  why they make even the Details so hard to get at beats the daylights out of me.  

I guess it has to do with the fact that McAfee and other virus scanners can scan zipped/compressed archives. I guess they xor with 0X6A to avoid the scanners removing the files again in the quarantine folder.

Hi

There is now a Knowledgebase article related to this issue. KB72755 will be published by close of business US time today.

HTH