1 2 Previous Next 11 Replies Latest reply on Jun 19, 2012 5:33 AM by joemanu

    restore quarantined files to alternative location

    blindpepper

      Hello,

       

      McAfee Virusscan 8.7 patch3 quarantined an exchange log file last night. Our exchange guys could not restore the file as it was on a LUN so they recreated the log files.

      Now I need to restore the quarantined file to an other location the the original so they can check the content of the log file.

      How can I do this?

       

      Mario

        • 1. Re: restore quarantined files to alternative location

          the problem is that mcafee doesn't not provide an extraction tool. unfortunately it is also not possible to extract it to an another location. the only possible solution so far is to copy the .bup file (the compressed and encoded original file) to another computer's quaratine location and extract it there.

          1 of 1 people found this helpful
          • 2. Re: restore quarantined files to alternative location
            blindpepper

            Ok, thanks for the information, as the file is on a LUN that will not be possible.

            • 3. Re: restore quarantined files to alternative location
              Regis

              Does anyone else feel it's sorta ridiculous that mcafee doesn't have a BUP extraction standalone tool?

               

              Having one would immensely simplify the reporting of false positives.

               

              I like that trick of sticking it in the quarantine location on another computer though.  I had no idea that'd work.

               

              on 5/13/11 11:14:00 AM CDT
              • 4. Re: restore quarantined files to alternative location

                After some research, I am able to recover quarantined files with this procedure. Perhaps someone could write a program or script to automate this:

                Howto Recover McAfee .BUP Quarantine Files:

                Use 7Zip to Extract 2 files from the .BUP file called Details and File_0 (7Zip can be found here: http://www.7-zip.org/)

                XOR both files by the key “0x6A” (Stupid protection) with the program called XOR.exe:

                (http://www.softpedia.com/get/Programming/Other-Programming-Files/Xor.shtml)

                > xor.exe File_0 file_0.xor 0X6A

                > xor.exe Details Details.txt 0X6A

                Rename File_0.xor to Original name found in Details.txt

                Be carefull with the virus!

                • 5. Re: restore quarantined files to alternative location
                  Regis

                  xplorr, thanks for posting that.  I had stumbled upon the xor with 6a thing in some random security talk somewhere, but hadn't procedurized it.  

                   

                  A simple alias would automate it if you have 7zip. 

                       7zip.exe e  File.BUP

                  is the commandline for the unpacking function.

                   

                  If you don't want to have to trust an xor binary,  and you're the sort of person that's got python installed and handy  (be it on a Linux box or under Cygwin in Windows), and you'd rather trust some Didier Stevens python code,  this python script works nicely 

                   

                  http://blog.didierstevens.com/programs/translate/

                   

                  with acommand line of

                  ~/bin/translate.py  File_0  eicar_decoded.txt 'byte ^ 0x6A'

                   

                  In comment #5 of that thread, there's an "UNbup" standalone script that looks simple enough, but I haven't been able to get it to work as is, likely due to my newness to python and indentation appearing to be rather important to it. 

                  • 6. Re: restore quarantined files to alternative location
                    Regis

                    The other thing that's great about having this capability is that one of the files that comes out the the BUP unpacking from 7-zip is the Details file.  The details file gives you original file timestamps of the malware.  This can be an important clue to inferring time of infection potentially if your malware was detected in an on demand scan versus an on access scan.   I've been wanting to know how to get at that file timestamp information for freaking EVER and am thrilled to be able to get to it now.  Both File_0 and Details   are xor'd with 6A.  why they make even the Details so hard to get at beats the daylights out of me.  

                    • 7. Re: restore quarantined files to alternative location

                      I guess it has to do with the fact that McAfee and other virus scanners can scan zipped/compressed archives. I guess they xor with 0X6A to avoid the scanners removing the files again in the quarantine folder.

                      • 8. Re: restore quarantined files to alternative location

                        Hi

                         

                        There is now a Knowledgebase article related to this issue. KB72755 will be published by close of business US time today.

                         

                        HTH

                        • 9. Re: restore quarantined files to alternative location

                          Regis, could you tell me exactly how you found the original file time stamps on the Details file once its extracted from the .BUP? I have extracted the 2 file from the BUP, but the time stamps on the files is still from the moment the infected file was quarantined. Is the orginal time stamp inside the text of the Details file? I have opened the BUP in McAfee FileInsight, but I can't understand the contents of the Details file (its all code to me). Can you help?

                           

                          UPDATE: I was able to convert the Details file to Details.txt using the xor.exe utility, but when viewing Details.txt the CreationDay/Month/Year/Hours/Minutes= values are all the same as when the BUP was created (when the infected file was quarantined). Did you get different results?

                           

                          Like you, we would find the original file time stamp to be VERY helpful in blocking potential malware sources.

                           

                          Thanks!

                           

                          Message was edited by: fitzgerac on 3/29/12 12:15:10 PM CDT
                          1 2 Previous Next