Based on different detection types, OfficeScan/Apex One stores detected file in different locations. Refer to the following steps to retrieve a falsely detected file:
There are several different detection types that offer protection from various threats. If you encounter a false positive, please refer to the detection types below to retrieve samples and submit them to Trend Micro for further analysis:
- Identify Detection Name Type. Below is a sample of Virus Scan detection:
- Find samples in the Quarantine Directory:
- On the server side, go to [Server folder]\PCCSRV\Virus. Samples will be renamed with the host name of detected agent.
- On the agent side, go to [Agent folder]\Suspect\Backup. Samples will be renamed with *.qtn extension.
- On the server side, go to [Server folder]\PCCSRV\Virus. Samples will be renamed with the host name of detected agent.
- For the Restoration Methods and Exception:
- Go to Agent > Agent management > Tasks > Central Quarantine Restore.
- Use VSEncode.exe:
- This tool is located in [Server folder]/PCCSRV/Admin/Utility/VSEncrypt.
- Execute it with parameters in the command window:
VSEncode.exe /d /f [filename]
Use VSEncode.exe will not add detected files into scan exclusion list. You may need to add it manually to prevent it from being detected again.
- Go to Agent > Agent management > Tasks > Central Quarantine Restore.
- Identify Detection Name Type. Below is a sample of Predictive Machine Learning detection.
Predictive Machine Learning detection will contain .XXPE or .XXBP in its detection name.
- Find samples in the Quarantine Directory. The default is [OfficeScan Server]\PCCSRV\Virus, but this can be configured via the Quarantine Manager. Samples will be renamed with the host name of the detected agent.
On the agent side, go to [Agent folder]\Backup. Samples will be renamed with TSC_GENCLEAN_{Timestamp} with *.dat extension.
- For the Restoration Methods and Exception:
- Go to Agent > Agent management > Tasks > Central Quarantine Restore.
- Extract it from the quarantined folder and rename the file extension to restore the sample. You may need to set exclusion before manually restoration.
- Use VSEncode.exe on the agent side:
- This tool located in [Server folder]/PCCSRV/Admin/Utility/VSEncrypt.
- Execute it with parameters in the command window:
VSEncode.exe /d /f [filename]
Use VSEncode.exe will not add detected files into scan exclusion list. You may need to add it to Predictive Machine Learning exclusion list manually to prevent it from being detected again.
- Go to Agent > Agent management > Tasks > Central Quarantine Restore.
- Identify Detection Name Type. Below is an example of Predictive Machine Learning detection:
Predictive Machine Learning detection will contain .XXPE or .XXBP in its detection name.
- Find samples in the Quarantine Directory. The default is [OfficeScan Server]\PCCSRV\Virus, but this can be configured via the Quarantine Manager. Samples will be renamed with the host name of the detected agent.
On the agent side, go to [Agent folder]\Backup. Samples will be renamed with TSC_GENCLEAN_{Timestamp} with *.dat extension
- For the Restoration Methods and Exception, check if the sample has been cleaned or not:
- If the sample was cleaned, go to the quarantine folder and use the VSEncode tool to restore.
- If the sample was not cleaned, go to the sample location to collect the file.
- You may need to add it to Predictive Machine Learning exclusion list manually to prevent it from being detected again.
Rapid Proliferation is a new detection type introduced in OfficeScan XG Service Pack 1 (SP1). Please refer to this article for more information: Rapid Proliferation threat detection and False Alert submission in OfficeScan.
- Identify Detection Name Type. Below is a sample of Rapid Proliferation detection.
- Find samples in the Quarantine Directory. The default is [OfficeScan Server]\PCCSRV\Virus, but this can be configured via the Quarantine Manager. Samples will be renamed with the host name of the detected agent.
- On the agent side, go to [Agent folder]\Backup. Samples will be renamed to TSC_GENCLEAN_{Timestamp} with *.dat extension.
- For the Restoration Methods and Exception:
- Go to Agent > Agent management > Tasks > Central Quarantine Restore.
- Extract it from the quarantined folder and rename the file extension to restore the sample. You may need to set the exclusion before manual restoration.
- Use VSEncode.exe on the agent side:
- This tool is located in [Server folder]/PCCSRV/Admin/Utility/VSEncrypt.
- Execute it with parameters in the command window:
VSEncode.exe /d /f [filename]
Using VSEncode.exe will not add detected files to the scan exclusion list. You may need to add it to the Predictive Machine Learning exclusion list manually to prevent it from being detected again.
- Go to Agent > Agent management > Tasks > Central Quarantine Restore.
- Identify Detection Name Type. Below is an example of malware behavior blocking:
- Find samples in the Quarantine Directory:
On the agent side, go to [Agent folder]\Backup. Samples will be renamed with TSC_GENCLEAN_{Timestamp} with *.dat extension
- For the Restoration Methods and Exception, check if the sample been cleaned or not:
- If the sample was cleaned, go to the quarantine folder and use the VSEncode tool to restore.
- If the sample was not cleaned, go to the sample location to collect the file.
- You may need to add detected program to Trusted Program list manually to prevent it from being detected again.
- Identify Detection Name Type. Below is an example of malware behavior blocking:
- Find sampls in the Quarantine Directory:
Go to Agent > Agent Management > Tasks > Central Quarantine Restore.
Use Central Quarantine Restore will automatically add the detected file into scan exclusion list only, thus, you may need to add detected program to Trust Program List manually. - Use VSEncode.exe:
- This tool is located in [Server folder]/PCCSRV/Admin/Utility/VSEncrypt.
- Execute it with parameters in the command window:
VSEncode.exe /d /f [filename]
Use VSEncode.exe will not add detected files into exclusion list. You may need to add detected program to Trusted Program List manually to prevent it from being detected again.
- Identify Detection Name Type. Below is a sample of Rapid Proliferation detection.
- Find samples in the Quarantine Directory by going to Agent > Agent management > Tasks > Central Quarantine Restore.
Use Central Quarantine Restore to automatically add the detected file to the scan exclusion list only. Thus, you may need to add the detected program to the Trust Program List manually.
- Use VSEncode.exe:
- This tool is located in [Server folder]/PCCSRV/Admin/Utility/VSEncrypt.
- Execute it with parameters in the command window:
VSEncode.exe /d /f [filename]
Using VSEncode.exe will not add detected files to the scan exclusion list. You may need to add it to the Trusted Program List manually to prevent it from being detected again.
After retrieving samples, you may refer to the following link for submitting samples: User Guide: New Requests.