The OfficeScan server's quarantined directory has no files, even if it was confirmed that the correct Quarantine directory path is specified in the OfficeScan console.
The total files quarantined and total file size show "0" even after downloading the eicar test virus several times on an OfficeScan client machine. During the eicar testing, the OfficeScan client showed a pop up message saying the virus was quarantined.
Upon checking the OfficeScan server's Virus logs in Logs > Networked Computer Logs > Security Risks, the following appears: "Unable to send the quarantined file to the designated quarantine folder. Refer to the online help for solutions."
After enabling debugging on the OfficeScan server, the following errors were observed in the logs:
2010 04/15 18:07:20 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][ProcessVirusLogFile] lpszMoveDir:"http://avserver.global.domain.com/" lpsz2ndMoveDir:"http://avserver.global.domain.com/" - [(1)]
2010 04/15 18:07:20 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][HTTP_CopyFile] lpExistingFileName=C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\eicar_798.VIR - [(1)]
2010 04/15 18:07:21 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][HTTP_CopyFile] HTTPUpload Failed. error=7:0 - [(1)]
2010 04/15 18:07:21 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][ProcessVirusLogFile] 2.HTTP_CopyFile Failed. - [(1)]
2010 04/15 18:07:21 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][ProcessVirusLogFile] LogName = C:\Program Files\Trend Micro\OfficeScan Client\FLog\_r0716676.LOG - [(1)]
2010 04/15 18:07:21 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe]C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\eicar_798.VIR - [[ProcessVirusLogFile] Copy file failed. (Error = %d), Src=%s, Dest = %s(0)]
The issue, in this case, was that the OfficeScan clients were pointing their Quarantine Directories to a non-existent OfficeScan server.
To resolve this issue, do the following for all the scan types (Manual, Real-time, Scheduled, and Scan Now Settings):
- Log on to the OfficeScan management console.
- Do one of the following:
- For OSCE 11.0, go to Agents > Agent Management.
- For OSCE 10.6 and below, go to Networked Computers > Client Management.
- Select the root, domain, or client where you want to make the changes.
- Click Settings > Scan Type Setting (Manual, Real-time, Scheduled and Scan Now Settings).
- Go to the Action tab.
- Update the Quarantine Directory with the correct information and then click Save.
- Repeat the steps for all the scan types.
The OfficeScan clients will be updated and will be able to upload the files to the quarantine directory.
The registry location of the OfficeScan client where the moved directory is stored is HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration moverdir=
If the issue persists, do the following:
- Check and ensure that the latest OfficeScan patches are applied:
- Restart the following Services:
- At the OfficeScan Server both the Microsoft IIS (or Apache2 Service) as well as the OfficeScan Master Service.
- At the target workstation, the OfficeScan NT Listener Service.
If the above solution did not resolve the issue, do the following: