Are you sure the file still resides in the C:\Quarantine folder? The default is to automatically delete Quarantined files after one day. That could explain why you no longer see it in the Manager.
Hope this helps.
The file is still definatly in the C:\quarantine folder as a .bup file and the manager is set to delete after 28 days is there a way i can uncompress the file back to its original cab file state or is it that the virus scaner just renames the file and changes the extension to .bup. if so can i just rename it back to a .cab file and restore it from that point
Try disabling VirusScan completely, then copy the file to your desktop, then simply rename it. No guarantees though..
Hope this helps.
The opening the file in an archive manager (WinRar, 7zip) shows two files: details and file_0.
Niether of these are remotely similar to the existing file. they must be further compressed or encrypted.
Has anyone sucessfully recovered a file w/o using McAfee's software?
Did anyone find a solution for this ?
We have a similar problem here. An infection was detected, the file was then moved to C:\Quarantine\7daXXXXXX.bup , and deleted by VSE after 1 day.
However, I need to restore this file to submit it for review to McAfee labs.
I thus changed the quarantine deletion from 1 day to 1 month, and restored the .bup file from our daily backups into C:\Quarantine\ .
However, the Quarantine Manager doesn't display the quarantined file, so I cannot restore it...
Any idea ?
Yes I did.
After some research, I am able to recover quarantined files with this procedure. Perhaps someone could write a program or script to automate this:
Howto Recover McAfee .BUP Quarantine Files:
Use 7Zip to Extract 2 files from the .BUP file called Details and File_0 (7Zip can be found here: http://www.7-zip.org/)
XOR both files by the key “0x6A” (Stupid protection) with the program called XOR.exe:
> xor.exe File_0 file_0.xor 0X6A
> xor.exe Details Details.txt 0X6A
Rename File_0.xor to Original name found in Details.txt
Be carefull with the virus!
This is now covered in KB72755 which is up for publication by close of business US time today.