In 14.3 RU2 a new feature, (Download file that the client quarantined), was added to allow the Endpoint Protection Manager to download quarantined files from Endpoint Protection (SEP) clients. The SEPM stores the files in a way that they will not automatically be quarantined again when an Admin downloads them from the SEPM.

In some circumstances an administrator may need to retrieve the exact file.

This document provides steps to retrieve the file as it was before being quarantined.

14.3 RU2 SEPM and later.

The SEPM stores the files XOR'ed.  Below is a python script which demonstrates how to get the original file back using the quarantined file downloaded from the SEPM.

import os
 
with open('download_file', 'rb') as f:
    with open('xored_download_file', 'wb') as f1:
        f1.write(bytes([x for x in map(lambda x: x^ 0x80, f.read())]))

PowerShell version of the script for environments in which Python can't be used:

$bytes = [System.IO.File]::ReadAllBytes("download_file")

for ($i = 0; $i -lt $bytes.Length; $i++) {

    $bytes[$i] = $bytes[$i] -bxor 0x80

}

[System.IO.File]::WriteAllBytes("xored_download_file", $bytes)