Sometimes very annoyingly AV Does its job and removes that malware you really wanted to look at.
Sometimes even more annoyingly you can only get the Quarantine files not the whole system they were sat on, this means there’s no nice GUI and one click restore options only to have it instantly delete itself again when you try to copy it to some other device.
This is the situation I was faced with recently. McAfee had quarantined the files and i was too far away to get hands on the system, but i could get the Quarantine Files.
.bup files well im pretty sure they wont play on a DVD player so what are they and how do i get my malware out.
Turns out this is pretty simple.
the .bup file is actually an archive file. Extracting the contents with 7zip liberates two files:
Attempting to view these files results in giberish. Or more precisely XOR encoded giberish.
This is now trivial for us to recover. It appears that they always use the same XOR key which is 0x6A but for the sake of being thorough ill also show you how to recover the key just in case it changes.
We Need two tools
- XOR Tool - Useful tool that allows you to specify a key and have the results written to a new file.
- XORSearch - Released by Didier Stevens, Who releases a lot of great tools, and allows you to search for an XOR Key.[
Search Details for the word Details which should return the XOR Key 0x6A
xorsearch.exe -i Details Details
This will spit out a new file that is now in clear text and when opened up with a text editor you should see the original file details.
to recover the File itself you can either run xorsearch looking for something known in the file, like “this program” or “%pdf” etc or you can run the xor tool with the specified Key.
xor.exe File_0 file_0.xor 0X6A
xor.exe Details Details.txt 0X6A
you can now rename file_o.xor to the original name as found in Details.txt
Some versions of McAfee also store their details in a password protected zip archive and a database File.
The database file is an SQLITE DB file and can be opened with any SQLITE Browser i like this one http://sourceforge.net/projects/sqlitebrowser/ or the firefox addon https://addons.mozilla.org/en-us/firefox/addon/sqlite-manager/
The quarantine.db file can be found in “C:\ProgramData\McAfee\VirusScan\Quarantine” and contains a variety of meta-data in a few tables.
The Archives can be found in “C:\ProgramData\McAfee\VirusScan\Quarantine\quarantine”
Inside the archive is an XML File ProgramData\McAfee\QuarMeta\guid that contains much of the same info that can be found in the DB File
and the original File in the path it was deleted from.
You can extract these files to any location you like using the password “infected”
That pretty much covers Restoring from McAfee if you only have the Quarantine Files. If anyone knows how to recover from other AV Vendors drop a comment below.
If not I’m sure at some point ill be forced to find out.