McAfee Virusscan 8.7 patch3 quarantined an exchange log file last night. Our exchange guys could not restore the file as it was on a LUN so they recreated the log files.
Now I need to restore the quarantined file to an other location the the original so they can check the content of the log file.
How can I do this?
the problem is that mcafee doesn't not provide an extraction tool. unfortunately it is also not possible to extract it to an another location. the only possible solution so far is to copy the .bup file (the compressed and encoded original file) to another computer's quaratine location and extract it there.
Does anyone else feel it's sorta ridiculous that mcafee doesn't have a BUP extraction standalone tool?
Having one would immensely simplify the reporting of false positives.
I like that trick of sticking it in the quarantine location on another computer though. I had no idea that'd work.on 5/13/11 11:14:00 AM CDT
After some research, I am able to recover quarantined files with this procedure. Perhaps someone could write a program or script to automate this:
Howto Recover McAfee .BUP Quarantine Files:
Use 7Zip to Extract 2 files from the .BUP file called Details and File_0 (7Zip can be found here: http://www.7-zip.org/)
XOR both files by the key “0x6A” (Stupid protection) with the program called XOR.exe:
> xor.exe File_0 file_0.xor 0X6A
> xor.exe Details Details.txt 0X6A
Rename File_0.xor to Original name found in Details.txt
Be carefull with the virus!
I completly agree a standalone tool to recover BUP files would be a great idea!
so far McAfee Knowledge database provide a way to recover using 7zip and xor,
I decided to provide a standalone tool (with source code so you can modify it for your own need)
The tool aims to browse a folder with ~100 BUP files (if you put more files processing time could be pretty long)
this tool will help you to list original files names and recover them after you selected wich one you really want.
It also give you the name of virus McAfee found.
Be sure to disable your antivirus while recover process, else file would be quarantined again.
project is available under github, under GPL v3 licence
binary version for windows 7 (windows XP need people to give a try)
unzip to folder, then run "Main_BUPextractor.exe"
I hope this tool can be helpfull, I am not responsible for any data loss, please before using it, do a backup of your BUP files.
xplorr, thanks for posting that. I had stumbled upon the xor with 6a thing in some random security talk somewhere, but hadn't procedurized it.
A simple alias would automate it if you have 7zip.
7zip.exe e File.BUP
is the commandline for the unpacking function.
If you don't want to have to trust an xor binary, and you're the sort of person that's got python installed and handy (be it on a Linux box or under Cygwin in Windows), and you'd rather trust some Didier Stevens python code, this python script works nicely
with acommand line of
~/bin/translate.py File_0 eicar_decoded.txt 'byte ^ 0x6A'
In comment #5 of that thread, there's an "UNbup" standalone script that looks simple enough, but I haven't been able to get it to work as is, likely due to my newness to python and indentation appearing to be rather important to it.
The other thing that's great about having this capability is that one of the files that comes out the the BUP unpacking from 7-zip is the Details file. The details file gives you original file timestamps of the malware. This can be an important clue to inferring time of infection potentially if your malware was detected in an on demand scan versus an on access scan. I've been wanting to know how to get at that file timestamp information for freaking EVER and am thrilled to be able to get to it now. Both File_0 and Details are xor'd with 6A. why they make even the Details so hard to get at beats the daylights out of me.
I guess it has to do with the fact that McAfee and other virus scanners can scan zipped/compressed archives. I guess they xor with 0X6A to avoid the scanners removing the files again in the quarantine folder.