How to decrypt quarantined files retrieved by SEPM Quarantine Server functionality added in 14.3 RU2
search cancel

How to decrypt quarantined files retrieved by SEPM Quarantine Server functionality added in 14.3 RU2

book

Article ID: 227352

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

In 14.3 RU2 a new feature was added to allow the Endpoint Protection Manager to download quarantined files from Endpoint Protection (SEP) clients. The SEPM stores the files in a way that they will not automatically be quarantined again when an Admin downloads them from the SEPM.

In some circumstances an administrator may need to retrieve the exact file.

This document provides steps to retrieve the file as it was before being quarantined.

Environment

14.3 RU2 and later.

Resolution

The SEPM stores the files XOR'ed.  Below is a python script which demonstrates how to get the original file back using the quarantined file downloaded from the SEPM.

import os
 
with open('download_file', 'rb') as f:
    with open('xored_download_file', 'wb') as f1:
        f1.write(bytes([x for x in map(lambda x: x^ 0x80, f.read())]))

PowerShell version of the script for environments in which Python can't be used:

$bytes = [System.IO.File]::ReadAllBytes("download_file")
for ($i = 0; $i -lt $bytes.Length; $i++) {
    $bytes[$i] = $bytes[$i] -bxor 0x80
}
[System.IO.File]::WriteAllBytes("xored_download_file", $bytes)