Create a Post
Showing results for 
Search instead for 
Did you mean: 

Original File Recovery Threat Extraction R8x


a few years ago there was a post on how to recover files manually via scrub from the gateway.

As with R80.40, haven't checked R81, things are different now.

First of all, I cannot find the "File ID" anymore in the logfile. Probably it's the ID, which brings me to the next problem. I cannot fetch or send and e-mail with this file id. I tried a few files, they are not working (cannot be found). Maybe there are ones that work with the ID field from TX, but I haven't tried more files.

Alas, the Mail ID works, which can be found in /var/log/scrub/repository/MAILID_two_letter/{MailID}oc

But with the Mail ID I can only send the stored original to the original recipient, which isn't always possible, because of the mail setup.

I need to fetch the file (scrub fetch_orig_file <file id>) or send the file to the administration (scrub send_orig_file <file id> <admin@domain.tld>)

In the past one could find the original files in the repository renamed, now it's different. It's just one file, the {mail-id}oc file.

This mail-id file is txt, with CRLF and cannot be base64 decoded. dox2unix will make it able to be base64 decoded and you get a data blob. Probably the wrong way to decode this.

My questions is, how can I recover the original file from {Mail-ID}oc. Do I need some kind of Oracle converter, on which TX seems to rely on? The original e-mail TXT+base64 would be sufficient.

The other question is, what is the "file id", is it the "ID" in Smartlog?

Cheers Chris



0 Kudos
4 Replies

Hello! I have absolutely the same task and questions... Can someone help us with information? 

0 Kudos

MTA is not different in R80.40 or R81.10 but is the same for all supported versions. Should work with last MTA version as the issue is listed here:


I've just checked my mta_ver and found, that it is 8040.xxxx. I don't know why, because i did a clear install of newest 81.10 GAIA in late august 2022.

Anyway, i don't use checkpoint appliance as a mail gateway. But SMTP traffic goes though threat extraction/emulation blades. Is there any way to download original files? It is not necessary to send them via e-mail, just download. 

Thank you! 

0 Kudos

Was the end user unable to retrieve the original themselves via the self-service link?

0 Kudos