Unable to decrypt quarantined files in OfficeScan

- Updated:
- 6 Sep 2017
- Product/Version:
- OfficeScan 10.6
- OfficeScan 11.0
- OfficeScan 11.0
- OfficeScan XG
- OfficeScan XG.All
- Platform:
- Windows 2003 Compute Cluster Server
- Windows 2003 Datacenter Server
- Windows 2003 Datacenter Server Edition 64-bit
- Windows 2003 Enterprise Server
- Windows 2003 Standard Server Edition
- Windows 2003 Standard Server Edition 64-bit
- Windows 2003 Storage Server
- Windows 2003 Web Server Edition
- Windows 2008 Datacenter Server
- Windows 2008 Datacenter Server Edition 64-bit
- Windows 2008 Enterprise Server
- Windows 2008 Enterprise Server Edition 64-bit
- Windows 2008 Standard Server Edition
- Windows 2008 Standard Server Edition 64-bit
- Windows 2008 Storage Server
- Windows 2008 Web Server Edition
- Windows 2008 Web Server Edition 64-bit
- Windows 7 32-bit
- Windows 7 64-bit
- Windows Vista 32-bit
- Windows Vista 64-bit
- Windows XP Professional
- Windows XP Professional 64-bit

Summary

Decrypting quarantined files from OfficeScan clients is a way to further analyze issues. However, the administrator failed to do so, even after doing the following:

The administrator copied the VSEncrypt Utility from the OfficeScan server by copying the files in the file://osce_server/ofcscan/Admin/Utility/VSEncrypt folder to a local directory on the client, which contains the quarantined files. After that, he opened a command prompt, went to the directory where the files were copied, and entered the following command:

VSEncode.exe -d /f Quarantined_Filename.vir

Where "Quarantined_Filename.vir" contains the full path of the quarantined file.

Checking the VSEncrypt.log file displays the following message:

2010/07/08 11:04:29 [Decryption] successful => Quarantined_Filename.vir decrypted as => (The file is already decrypted.)

However, the file was still encrypted and no decrypted file was generated on the disk.

Starting from OfficeScan 11.0, the VSEncode.exe tool has persisted under the OSCE agent installation folder. Users may be able to put those encrypted files under client backup folder and use the VSEncode.exe to perform a decryption via GUI.

Details

To resolve this issue, make sure that the vsapi32.dll file that is used in the VSEncode.exe utility and the OfficeScan clients have the same version.

For example, the vsapi32.dll version, which was included in the file://osce_server/ofcscan/Admin/Utility/VSEncrypt folder, was 8.950.1092. The Scan Engine deployed to the OfficeScan clients was version 9.205.1002.

To successfully decrypt the quarantined files:

Copy only the VSEncode.exe file from the file://osce_server/ofcscan/Admin/Utility/VSEncrypt folder of the OfficeScan server to a local directory on the target client.
Do not copy the vsapi32.dll file, which is already in the directory above.
Look for the vsapi32.dll file on the target OfficeScan client and copy it into the same directory where VSEncode.exe was copied before.
In a default installation, vsapi32.dll is under C:\Program Files\Trend Micro\OfficeScan client folder.
Open a command prompt and run the VSencode command:
VSEncode.exe -d /f Quarantined_Filename.vir

A detailed documentation about all the VSencode commands is found in the Online Help of the OfficeScan server management console under Tools > Client Tools > Restore Encrypted Virus.