McAfee for Enterprise

McAfee W95/CTX Quarantine File Restore Utility

CTXundo is a stand-alone utility that can be used to recover from the false alarm on W95/CTX that was introduced in the 4715 dat files. This tool will only recover files that were detected and then quarantined only with the VirusScan Enterprise products. It will not recover files that may have been deleted by any product or quarantined with VirusScan Online, Managed VirusScan or LinuxShield .

A listing of the files detected is available

You can find information for this threat on the Virus Information Library

• Download CTXundo.zip v1.3.1
• Download CTX-undo.zip v1.3.1 Superdat package for ePO deployment

Using CTXUndo.exe

CTXUndo Command Line parameters:

• /report=(path and filename) [optional]

Default report is:

• Filename=CTXUndo.log

and is written to the directory the tool is run from.

· /quarantine_folder =<foldername > [optional]

· /quarantine_folder =d:\quarantine

CTXUndo looks in d:\quarantine\infected.log for files to be restored.

· /ods_scanlog =<log file> [optional]

· /ods_scanlog =c:\Virusscan_logs\odsscanlog.txt

Looks for a custom named On Demand Scan log in c:\virusscan_logs folder, matches filenames against quarantined files.

Known Limitations

CTXundo is not network aware and should be run locally on the affected systems.

If CTXundo is run under the logged in user, user must have sufficient privileges to the file system to be able to restore files.

CTXundo cannot restore files which were deleted instead of quarantined.

CTXundo will report the names of files unable to be restored because they are already present in their original location, or if the file is no longer present in the quarantine folder.

Due to logging limitations in VSE, CTXUndo can not guarantee accurate file/path correlation in situations where multiple files of the same name, but from different original paths, exist in the INFECTED.LOG, but have been been renamed in the quarantine folder, e.g. infected log contains:

• c:\dir1\file.exe => file.exe

• c:\dir2\file.exe => file.exe

but quarantine folder contains:

• file.exe

• file.exe.0

In this case, it is not possible to categorically correlate the files to their original locations, so files will be moved back in the order in which they are found.

When files are restored from quarantine, those files will inherit the permissions of the parent folder.

Double-Byte Operating Systems

Due to differences in how Double-Byte products can write their log files a specific version of the tool was developed for these languages. It is important to note that this tool will restore EVERYTHING found in the quarantine directory, including any threats that have been quarantined. It is imperative that the On-Access Scanner is turned on and running prior to running this tool.

• Download CTXUndoDB.zip v1.3.1 for Double-Byte products with ePO