Tuesday, July 20, 2010

McAfee Quarantine -- What's In There?

I discovered that McAfee VirusScan seemed to be putting large numbers of files with a .bup suffix into folders called C:\QUARANTINE and E:\Cache\McAfeeQuarantine.  (The location of the latter was no surprise; I had set aside E:\Cache for miscellaneous folders.)  I wondered what was in these .bup files; and if they were things that I did not want to be quarantined, I wondered how I might retrieve their contents.  I tried to open them by double-clicking on them, but I got this message (in Windows XP):  "Windows cannot open this file."

Apparently there was supposed to be a McAfee Quarantine Manager program.  I didn't have that.  Actually, I couldn't even tell what I did have.  Normally, I would store the installation program, in case I needed it again, but it wasn't turning up right now.  I suspected that I had gotten McAfee something-or-other installed, for free, during the installation of some other program.

A search led to a McAfee page that seemed to indicate that McAfee Quarantine Manager was a Large Enterprise product.  I registered to receive a free download of the beta version.  They said I would be getting an e-mail within a few hours, but it was actually just a few minutes, and then I downloaded Quarantine Manager.

While that was all in the works, I went to McAfee's main support page.  It did not have links to any knowledgebase, forum, or FAQs.  I clicked on the big Get Support button.  Here, I had options for Tech Support, Customer Service, or Virus Removal.  I chose Tech Support, and that did give me a link to FAQs.  I tried a search there and got several items that seemed relevant.  One, document no. TS100617, "How to recover a file that has been quarantined by VirusScan," advised me to begin by double-clicking the M icon in my taskbar.  I didn't have an M icon; I just had a shield whose tooltip said, "McAfee OAS: enabled."  I double-clicked on it anyway and got "On-Access Site Scan Statistics."  It had no options.  This was different from the picture shown in the document, which showed a screenshot from McAfee Security Center.  Another document, no. TS100843, "How to recover a file that has been quarantined by VirusScan," likewise assumed I had an M icon.

Taking another approach, I tried McAfee's Chat and Email support option.  I started with the Community Forums link, which oddly appeared on that webpage even though a forum is neither chat nor e-mail.  It seemed that I could have gone directly to the forums, if I had had the URL, instead of going through all those other pages.  Once I was there, at any rate, my searches didn't turn up anything on point, so I backed up and tried their free online chat.  I sent them a message.  They replied immediately with this:

Sorry, we don't support your operating system
We currently support Windows 7, Vista, XP, 2000, NT 4.0 and Mac OS X v10.4 Tiger or newer.
I was using Ubuntu to send this message.  So I guess it did not occur to McAfee that someone might use one computer to contact them about a problem on another.  I went into a Windows XP virtual machine on that Ubuntu computer and tried again; but then the web browser I was using (Firefox) crashed there.

While that was developing, I did a search for McAfee Security Center.  This seemed to be a product, or rather part of another product, that I could buy for about $35-50.  I also did a search for the On-Access Site Scan.  Michael Dance at eHow.com said OAS was a key part of McAfee VirusScan.  My search for that generated the impression that I could download VirusScan and use it free for the first year.  Unfortunately, it seemed that that particular promotion had been active in autumn 2009, whereas it was now summer 2010.

At about this time, it occurred to me that I could check Start > Control Panel > Add or Remove Programs and see what, exactly, I did have.  And well, lo and behold, it seemed I had McAfee Agent, McAfee AntiSpyware Enterprise, and McAfee VirusScan Enterprise.  No shortcuts to anything like that in my Start Menu, though.  I went into C:\Program Files and didn't see much; but then I noticed that there was a newish C:\Program Files(x86) folder whose only contents were a McAfee folder.  There, in a VirusScan Enterprise subfolder, I found 22 Application-type (i.e., .exe) files.  I tried double-clicking on mcadmin.exe, but nothing happened.  I tried mcconsol.exe, and that opened the VirusScan Console that I had been able to open by right-clicking the shield icon in the taskbar; but that Console still didn't have any more relevant options than it had had earlier in the day, and most specifically it seemed useless for purposes of finding out what was in those .bup files in McAfeeQuarantine.  I clicked on most of the other executables in that VirusScan Enterprise subfolder and still got nothing.  Nor did a search for files or folders with McAfee in their name turn up anything interesting.  Somehow, it seemed, I had gotten a sort of ghost version of McAfee VirusScan on my PC.

I decided to move the .bup files from C:\Quarantine to E:\Cache\McAfeeQuarantine, so they would all be in one place.  While I appreciated whatever it was that the installed free version of McAfee AntiVirus might be doing on my behalf -- especially an Enterprise version (woo hoo!) -- I was mostly just wanting to get rid of it if I could replace it with something else, not necessarily by McAfee.  I was, in fact, running avast! AntiVirus, and avast! was in fact running a one-year free special.  Anyway, neither was top-ranked, according to TopTenReviews.  The only PC Magazine editor's choice antivirus award in 2010 went to Panda Cloud 1.1 (free).  So really, all I needed was to investigate what was in these .bup files and then bid avast! to McAfee.

By now, McAfee online chat was finally ready for action.  The only place it would run for me, even in the Windows XP virtual machine, was in Internet Explorer; it didn't run in Firefox, and it had to install several different programs before its chat interface would run.  Even then, it was just sitting there, with this message:  "Your representative has arrived.  Thank you for waiting."  I was glad s/he had arrived, but I couldn't tell where s/he was, exactly.  After a while, I killed that window and tried again, and now it worked.  I proceeded to spend a half-hour chatting with Deepu, who had no idea how to view the contents of .bup files.  She was not able to verify my installation, which was what I told her -- that I really didn't recall how this program had gotten onto my system -- and therefore she would not pass the question on to her supervisor.

A couple of days passed, and no more word from McAfee.  By now, that free download of McAfee Quarantine Manager seemed to be the only game in town.  Therefore, I went ahead and tried to install one of the programs included in the download.  But I got, "The operating system is not adequate for running McAfee Quarantine Manager DBSuite."  Same thing when I tried the more modest version:  "The operating system is not adequate for running McAfee Quarantine Manager."  They hadn't warned me about this over at eHow.com.

I never did hear anything more from McAfee.  Basically, they had put several gigabytes of stuff from my computer into their .bup files; they were not going to help me figure out what was in those files; and if I was worried that they might have stuck some data in there along with allegedly infected program files (some of which, I had concluded, were false positives, i.e., guilty until proven innocent).  I had had a prior crappy experience with McAfee, back in the 1990s, and this was probably going to be the end for them, as far as I was concerned.



he's right.. they are bozos.


I finally got back to that ZIP file, a year and a half later. Now a search took me to a thread where someone suggested using Xor. Their advice was basically to run a Xor command to unzip each file. The command format was like this: xor.exe File.bup File.xor password. The password was 0X6A. (That's a zero, not an oh.) For instance, McAfee had left me with a file called 7da5b737e9c0.bup, so the command I used was "xor.exe 7da5b737e9c0.bup 7da5b737e9c0.xor 0x6A." As described elsewhere, I could have used a spreadsheet or some search-and-replace work in a word processor to converted the list of .bup files into a set of commands to run in a batch file (faster than doing them one by one), one command for each .bup file. So now I had decrypted the .bup files. But what was the correct extension -- what kinds of files were they? Apparently there was supposed to be a Details file along with the .bup files, and I was supposed to run "xor.exe Details Details.txt 0x6A" to get the original filenames, extensions, and dates. So instead of having a file called 7da5b737e9c0.xor, I would have "Fourth Letter to Jones.doc," or something. Unfortunately, it seemed I had lost the Details file during my previous bout of playing around with the McAfee files, or maybe it never existed. Fortunately, after renaming them to be .txt files, I was able to open them all in Notepad++. Toward the bottom of the first screenful of information about each file, I could see a line in all caps that appeared to be the original path and file name (e.g., D:\FOLDER NAME\SUBFOLDER\FILENAME.EXE). They all appeared to be program files, not data files. So it appeared to be a false alarm; apparently McAfee was not randomly quarantining family photos.


I loaded McAfee and it is so much more user unfriendly then Microsoft Security Essentials. You have to go to the "Navigation" up at the top and then scroll down to the very bottom to get to "Quarantined and Trusted Items". Then from there it gets worse, they start using pictures (similar to what Google is doing these days) instead of text. Fortunately from there if you click on enough buttons, you can then *finally* get to the file it was trying to quarantine.

Microsoft Security Essentials has a much better interface in my opinion. I've spent hours searching the Internet not finding results. Not a McAfee fan at this point but I'll probably continue to use both their software and MS Security Essentials.


In my case the quarantine folder is in "C:\ProgramData\McAfee\VirusScan\Quarantine". I guess the location of this folder depends both of the operating system (Windows 7 64-bit in my case) well as the version installed (I not have the "Enterprise" version).
By the way, in this article you can see various ways to decompress these McAfee files (including some scripts to automate the work).


Just re-reading our old remarks here. I just got off the phone with McAfee on another matter. I asked them about this. Their tech support rep said there is no way of figuring out what is in .bup files, even if you install a brand-new copy of McAfee: it won't be able to penetrate .bup files produced by another McAfee installation. Seems we did a better job of figuring it out on our own. Anyway, note a relatively recent McAfee tech support article on this.