Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

OfficeScan client quarantine files are not sent to the OSCE server

    • Updated:
    • 17 Oct 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 2003 Enterprise Server
    • Windows 2003 Standard Server Edition
    • Windows 2008 Enterprise Server
    • Windows 2008 Standard Server Edition
    • Windows 7 32-bit
    • Windows Vista 32-bit
    • Windows XP Professional
Summary

The OfficeScan server's quarantined directory has no files, even if it was confirmed that the correct Quarantine directory path is specified in the OfficeScan console.

The total files quarantined and total file size show "0" even after downloading the eicar test virus several times on an OfficeScan client machine. During the eicar testing, the OfficeScan client showed a pop up message saying the virus was quarantined.

Upon checking the OfficeScan server's Virus logs in Logs > Networked Computer Logs > Security Risks, the following appears: "Unable to send the quarantined file to the designated quarantine folder. Refer to the online help for solutions."

Checking the OfficeScan client machine shows the encrypted quarantined files. The communication to the OfficeScan server and vice versa was also confirmed via a telnet.

After enabling debugging on the OfficeScan server, the following errors were observed in the logs:

2010 04/15 18:07:20 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][ProcessVirusLogFile] lpszMoveDir:"http://avserver.global.domain.com/" lpsz2ndMoveDir:"http://avserver.global.domain.com/" - [(1)]
2010 04/15 18:07:20 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][HTTP_CopyFile] lpExistingFileName=C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\eicar[1]_798.VIR - [(1)]
2010 04/15 18:07:21 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][HTTP_CopyFile] HTTPUpload Failed. error=7:0 - [(1)]
2010 04/15 18:07:21 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][ProcessVirusLogFile] 2.HTTP_CopyFile Failed. - [(1)]
2010 04/15 18:07:21 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe][ProcessVirusLogFile] LogName = C:\Program Files\Trend Micro\OfficeScan Client\FLog\_r0716676.LOG - [(1)]
2010 04/15 18:07:21 [0300 : 0a04] (00) (F) [-IO-][pccntmon.exe]C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\eicar[1]_798.VIR - [[ProcessVirusLogFile] Copy file failed. (Error = %d), Src=%s, Dest = %s(0)]

The issue, in this case, was that the OfficeScan clients were pointing their Quarantine Directories to a non-existent OfficeScan server.

Details
Public

To resolve this issue, do the following for all the scan types (Manual, Real-time, Scheduled, and Scan Now Settings):

  1. Log on to the OfficeScan management console.
  2. Do one of the following:
    • For OSCE 11.0, go to Agents > Agent Management.
    • For OSCE 10.6 and below, go to Networked Computers > Client Management.
  3. Select the root, domain, or client where you want to make the changes.
  4. Click Settings > Scan Type Setting (Manual, Real-time, Scheduled and Scan Now Settings).
  5. Go to the Action tab.
  6. Update the Quarantine Directory with the correct information and then click Save.

    Example: http://server.domain.com/

  7. Repeat the steps for all the scan types.

    The OfficeScan clients will be updated and will be able to upload the files to the quarantine directory.

The registry location of the OfficeScan client where the moved directory is stored is HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration moverdir=

If the issue persists, do the following:

  1. Check and ensure that the latest OfficeScan patches are applied:
    1. For OfficeScan 10, ensure that Patch 2 for Service Pack 1 is applied.
    2. For OfficeScan 10.5, ensure that Patch 1 is applied.
  2. Restart the following Services:
    1. At the OfficeScan Server both the Microsoft IIS (or Apache2 Service) as well as the OfficeScan Master Service.
    2. At the target workstation, the OfficeScan NT Listener Service.

If the above solution did not resolve the issue, do the following:

  1. Download and run the CDT utility on the problematic host machine.
  2. Collect the CDT logs and contact Trend Micro Technical Support.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1056090
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.