cancel
Showing results for 
Search instead for 
Did you mean: 

restore quarantined files to alternative location

Hello,

McAfee Virusscan 8.7 patch3 quarantined an exchange log file last night. Our exchange guys could not restore the file as it was on a LUN so they recreated the log files.

Now I need to restore the quarantined file to an other location the the original so they can check the content of the log file.

How can I do this?

Mario

11 Replies

Re: restore quarantined files to alternative location

the problem is that mcafee doesn't not provide an extraction tool. unfortunately it is also not possible to extract it to an another location. the only possible solution so far is to copy the .bup file (the compressed and encoded original file) to another computer's quaratine location and extract it there.

Re: restore quarantined files to alternative location

Ok, thanks for the information, as the file is on a LUN that will not be possible.

Regis
Level 12
Report Inappropriate Content
Message 4 of 12

Re: restore quarantined files to alternative location

Does anyone else feel it's sorta ridiculous that mcafee doesn't have a BUP extraction standalone tool?

Having one would immensely simplify the reporting of false positives.

I like that trick of sticking it in the quarantine location on another computer though.  I had no idea that'd work.

on 5/13/11 11:14:00 AM CDT
xplorr
Level 7
Report Inappropriate Content
Message 5 of 12

Re: restore quarantined files to alternative location

After some research, I am able to recover quarantined files with this procedure. Perhaps someone could write a program or script to automate this:

Howto Recover McAfee .BUP Quarantine Files:

Use 7Zip to Extract 2 files from the .BUP file called Details and File_0 (7Zip can be found here: http://www.7-zip.org/)

XOR both files by the key “0x6A” (Stupid protection) with the program called XOR.exe:

(http://www.softpedia.com/get/Programming/Other-Programming-Files/Xor.shtml)

> xor.exe File_0 file_0.xor 0X6A

> xor.exe Details Details.txt 0X6A

Rename File_0.xor to Original name found in Details.txt

Be carefull with the virus!

joemanu
Level 7
Report Inappropriate Content
Message 6 of 12

Re: restore quarantined files to alternative location

Hi Regis,

   I completly agree a standalone tool to recover BUP files would be a great idea!

so far McAfee Knowledge database provide a way to recover using 7zip and xor,

I decided to provide a standalone tool (with source code so you can modify it for your own need)

The tool aims to browse a folder with ~100 BUP files (if you put more files processing time could be pretty long)

this tool will help you to list original files names and recover them after you selected wich one you really want.

It also give you the name of virus McAfee found.

Be sure to disable your antivirus while recover process, else file would be quarantined again.

project is available under github, under GPL v3 licence

https://github.com/qiaozhou/BUP_Extractor

binary version for windows 7 (windows XP need people to give a try)

http://sourceforge.net/projects/bupextractor/files/BUPextractor_20120530.zip/download

unzip to folder, then run "Main_BUPextractor.exe"

I hope this tool can be helpfull, I am not responsible for any data loss, please before using it, do a backup of your BUP files.

Best regards,

                       Joe

Regis
Level 12
Report Inappropriate Content
Message 7 of 12

Re: restore quarantined files to alternative location

xplorr, thanks for posting that.  I had stumbled upon the xor with 6a thing in some random security talk somewhere, but hadn't procedurized it.  

A simple alias would automate it if you have 7zip. 

     7zip.exe e  File.BUP

is the commandline for the unpacking function.

If you don't want to have to trust an xor binary,  and you're the sort of person that's got python installed and handy  (be it on a Linux box or under Cygwin in Windows), and you'd rather trust some Didier Stevens python code,  this python script works nicely 

http://blog.didierstevens.com/programs/translate/

with acommand line of

~/bin/translate.py  File_0  eicar_decoded.txt 'byte ^ 0x6A'

In comment #5 of that thread, there's an "UNbup" standalone script that looks simple enough, but I haven't been able to get it to work as is, likely due to my newness to python and indentation appearing to be rather important to it. 

Regis
Level 12
Report Inappropriate Content
Message 8 of 12

Re: restore quarantined files to alternative location

The other thing that's great about having this capability is that one of the files that comes out the the BUP unpacking from 7-zip is the Details file.  The details file gives you original file timestamps of the malware.  This can be an important clue to inferring time of infection potentially if your malware was detected in an on demand scan versus an on access scan.   I've been wanting to know how to get at that file timestamp information for freaking EVER and am thrilled to be able to get to it now.  Both File_0 and Details   are xor'd with 6A.  why they make even the Details so hard to get at beats the daylights out of me.  

xplorr
Level 7
Report Inappropriate Content
Message 9 of 12

Re: restore quarantined files to alternative location

I guess it has to do with the fact that McAfee and other virus scanners can scan zipped/compressed archives. I guess they xor with 0X6A to avoid the scanners removing the files again in the quarantine folder.

sgrimmel
Level 11
Report Inappropriate Content
Message 10 of 12

Re: restore quarantined files to alternative location

Hi

There is now a Knowledgebase article related to this issue. KB72755 will be published by close of business US time today.

HTH