Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christoph
Contributor

Original File Recovery Threat Extraction R8x

Hello,

a few years ago there was a post on how to recover files manually via scrub from the gateway.

As with R80.40, haven't checked R81, things are different now.

First of all, I cannot find the "File ID" anymore in the logfile. Probably it's the ID, which brings me to the next problem. I cannot fetch or send and e-mail with this file id. I tried a few files, they are not working (cannot be found). Maybe there are ones that work with the ID field from TX, but I haven't tried more files.

Alas, the Mail ID works, which can be found in /var/log/scrub/repository/MAILID_two_letter/{MailID}oc

But with the Mail ID I can only send the stored original to the original recipient, which isn't always possible, because of the mail setup.

I need to fetch the file (scrub fetch_orig_file <file id>) or send the file to the administration (scrub send_orig_file <file id> <admin@domain.tld>)

In the past one could find the original files in the repository renamed, now it's different. It's just one file, the {mail-id}oc file.

This mail-id file is txt, with CRLF and cannot be base64 decoded. dox2unix will make it able to be base64 decoded and you get a data blob. Probably the wrong way to decode this.

My questions is, how can I recover the original file from {Mail-ID}oc. Do I need some kind of Oracle converter, on which TX seems to rely on? The original e-mail TXT+base64 would be sufficient.

The other question is, what is the "file id", is it the "ID" in Smartlog?

Cheers Chris

 

 

0 Kudos
4 Replies
Sysprog_Alexey
Participant

Hello! I have absolutely the same task and questions... Can someone help us with information? 

0 Kudos
G_W_Albrecht
Legend
Legend

MTA is not different in R80.40 or R81.10 but is the same for all supported versions. Should work with last MTA version as the issue is listed here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CCSE CCTE CCSM SMB Specialist
Sysprog_Alexey
Participant

I've just checked my mta_ver and found, that it is 8040.xxxx. I don't know why, because i did a clear install of newest 81.10 GAIA in late august 2022.

Anyway, i don't use checkpoint appliance as a mail gateway. But SMTP traffic goes though threat extraction/emulation blades. Is there any way to download original files? It is not necessary to send them via e-mail, just download. 

Thank you! 

0 Kudos
Chris_Atkinson
Employee
Employee

Was the end user unable to retrieve the original themselves via the self-service link?

0 Kudos