How to restore a quarantined file not listed in the Quarantine Manager

Technical Articles ID:   KB72755
Last Modified:  6/24/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.x
McAfee VirusScan Enterprise Quarantine Manager component

Summary

There might be circumstances where VSE deletes a quarantined file before you realize the file needs to be preserved. (For example, for submission to McAfee Labs.)

While you can restore the .BUP file to C:\Quarantine\, the Quarantine Manager no longer shows the quarantined file. So, it can't be restored using the Quarantine Manager.

This article explains how to manually extract information from .BUP files not listed in Quarantine Manager.

To extract files from Quarantine (.BUP) files:

  1. Using Windows Explorer, create a temporary folder. In this example: C:\SAVE-BUP
  2. Download the 7-Zip file compression utility from http://www.7-zip.org/.
  3. Install the 7-Zip utility and extract the following two files from the .BUP file to C:\SAVE-BUP:
    •  Details
    •  File_0
To decrypt files contained in .BUP files:
  1. Download the XOR (xor.zip) utility from http://www.softpedia.com/.
  2. Extract xor.zip to C:\SAVE-BUP.
  3. Click Start, Run, type cmd, and press Enter.
  4. Type cd  \SAVE-BUP and press Enter.
  5. Type xor.exe File_0 file_0.xor 0X6A and press Enter.
  6. Type xor.exe Details Details.txt 0X6A and press Enter.
    NOTE: The value 0x6A is the encryption key used.
  7. Rename File_0.xor to the original name found in the Details file.

Affected Products

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.