Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 21527 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus Removal Tool: Retrieve malware for submission?

JW99
I used the Virus Removal Tool to cleanup a CryptLocker infection yesterday. I'd like to retrieve the binary so I can submit it to VirusTotal. I see a SafeClean folder for the VRT -- is there a way to retrieve the items removed? Thanks.
:44797


This thread was automatically locked due to age.
Parents
  • 0

    Hello Steve_,

    (disclaimer: I'm not Sophos and have no extended knowledge of SafeClean and scc) 

    use double quotes in the -bindir= option to target remote 'bins'

    Dunno why you'd need double quotes for remote.  The usual parsing and passing rules of the cmd shell apply, scc.exe verifies the (already parsed) parameter is a syntactically correct path, that an eventual remote share exists and then uses a standard API to locate the bin. There's one catch though as scc.exe attempts to store to the original location - I haven't tested it but I doubt it will create the path if it doesn't exist.

    change EnableSafeClean="yes" to EnableSafeClean="no"

    SafeClean takes an encrypted backup when a file is cleaned - move is another option to deal with an infected file (and AFAIK not available with SVRT - note that the Quarantine is "just" a list of threats which have not been dealt with). Thus setting it to "no" simply disables the backup.

    Christian

    :47900
Reply
  • 0

    Hello Steve_,

    (disclaimer: I'm not Sophos and have no extended knowledge of SafeClean and scc) 

    use double quotes in the -bindir= option to target remote 'bins'

    Dunno why you'd need double quotes for remote.  The usual parsing and passing rules of the cmd shell apply, scc.exe verifies the (already parsed) parameter is a syntactically correct path, that an eventual remote share exists and then uses a standard API to locate the bin. There's one catch though as scc.exe attempts to store to the original location - I haven't tested it but I doubt it will create the path if it doesn't exist.

    change EnableSafeClean="yes" to EnableSafeClean="no"

    SafeClean takes an encrypted backup when a file is cleaned - move is another option to deal with an infected file (and AFAIK not available with SVRT - note that the Quarantine is "just" a list of threats which have not been dealt with). Thus setting it to "no" simply disables the backup.

    Christian

    :47900
Children
No Data