Create a Post
Showing results for 
Search instead for 
Did you mean: 

Original File Recovery Threat Extraction R8x


a few years ago there was a post on how to recover files manually via scrub from the gateway.

As with R80.40, haven't checked R81, things are different now.

First of all, I cannot find the "File ID" anymore in the logfile. Probably it's the ID, which brings me to the next problem. I cannot fetch or send and e-mail with this file id. I tried a few files, they are not working (cannot be found). Maybe there are ones that work with the ID field from TX, but I haven't tried more files.

Alas, the Mail ID works, which can be found in /var/log/scrub/repository/MAILID_two_letter/{MailID}oc

But with the Mail ID I can only send the stored original to the original recipient, which isn't always possible, because of the mail setup.

I need to fetch the file (scrub fetch_orig_file <file id>) or send the file to the administration (scrub send_orig_file <file id> <admin@domain.tld>)

In the past one could find the original files in the repository renamed, now it's different. It's just one file, the {mail-id}oc file.

This mail-id file is txt, with CRLF and cannot be base64 decoded. dox2unix will make it able to be base64 decoded and you get a data blob. Probably the wrong way to decode this.

My questions is, how can I recover the original file from {Mail-ID}oc. Do I need some kind of Oracle converter, on which TX seems to rely on? The original e-mail TXT+base64 would be sufficient.

The other question is, what is the "file id", is it the "ID" in Smartlog?

Cheers Chris



0 Kudos
0 Replies