Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 21525 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus Removal Tool: Retrieve malware for submission?

JW99
I used the Virus Removal Tool to cleanup a CryptLocker infection yesterday. I'd like to retrieve the binary so I can submit it to VirusTotal. I see a SafeClean folder for the VRT -- is there a way to retrieve the items removed? Thanks.
:44797


This thread was automatically locked due to age.
  • 0

    Thanks for this info. I no longer have access to the PC I ran SVRT on, so I can't test it, but I assume it works as described.

    John

    :45075
  • 0

    I tried using scc.exe but may have been getting the syntax wrong. Are there any examples? I ran SVRT on an XP machine and would like to try to recover the encrypted piece of malware for further analysis.

    :47827
  • 0

    Hello Steve_,

    its syntax is pretty simple. As How to restore files ... says, you start with scc.exe list (perhaps you could post its output here), then follow with  scc.exe restore -recordid=nnn (where nnn is the item's recordid obtained with scc list). What is the error you get?

    Christian

    :47828
  • 0

    Listing all items that meet the criteria

    Record ID:                       any

    Threat Name:                 any

    Item Type:                       any

    Date Start:                       any

    Date End:                        any

    Failed to create a SAVI factory

    Return value: 0x00000004

    :47848
  • 0

    Hello Steve_,

    Failed to create a SAVI factory

    Return value: 0x00000004

    this suggests it can't find/load the SAVI.dll. Can't say where it searches for this DLL if you have (only) the SVRT installed (you didn't uninstall it, did you?) but anyway scc.exe tries also the directory it is running from. SAVI.dll is in the \Program Files\Sophos\Sophos Virus Removal Tool\engine\ folder. Put scc.exe into this folder and run it from there.

    HTH
    Christian

    :47854
  • 0

    Using scc.exe from the engine subfolder seems to have done the trick!

    Can you use double quotes in the -bindir= option to target remote 'bins'? If not I can always tie something together with powershell in case? 

    Also, if modifying the config.xml file to change EnableSafeClean="yes" to EnableSafeClean="no", will that disable the encryption function but still move the detected malware to the default "quarantine" folder? 

    :47856
  • 0

    Hello Steve_,

    (disclaimer: I'm not Sophos and have no extended knowledge of SafeClean and scc) 

    use double quotes in the -bindir= option to target remote 'bins'

    Dunno why you'd need double quotes for remote.  The usual parsing and passing rules of the cmd shell apply, scc.exe verifies the (already parsed) parameter is a syntactically correct path, that an eventual remote share exists and then uses a standard API to locate the bin. There's one catch though as scc.exe attempts to store to the original location - I haven't tested it but I doubt it will create the path if it doesn't exist.

    change EnableSafeClean="yes" to EnableSafeClean="no"

    SafeClean takes an encrypted backup when a file is cleaned - move is another option to deal with an infected file (and AFAIK not available with SVRT - note that the Quarantine is "just" a list of threats which have not been dealt with). Thus setting it to "no" simply disables the backup.

    Christian

    :47900
  • 0

    Great to know. I'll keep safeclean on to avoid a *facepalm* situation.

    :47904