Decrypting quarantined files from OfficeScan clients is a way to further analyze issues. However, the administrator failed to do so, even after doing the following:
The administrator copied the VSEncrypt Utility from the OfficeScan server by copying the files in the file://osce_server/ofcscan/Admin/Utility/VSEncrypt folder to a local directory on the client, which contains the quarantined files. After that, he opened a command prompt, went to the directory where the files were copied, and entered the following command:
VSEncode.exe -d /f Quarantined_Filename.vir
Where "Quarantined_Filename.vir" contains the full path of the quarantined file.
Checking the VSEncrypt.log file displays the following message:
2010/07/08 11:04:29 [Decryption] successful => Quarantined_Filename.vir decrypted as => (The file is already decrypted.)
However, the file was still encrypted and no decrypted file was generated on the disk.
To resolve this issue, make sure that the vsapi32.dll file that is used in the VSEncode.exe utility and the OfficeScan clients have the same version.
To successfully decrypt the quarantined files:
- Copy only the VSEncode.exe file from the file://osce_server/ofcscan/Admin/Utility/VSEncrypt folder of the OfficeScan server to a local directory on the target client.
Do not copy the vsapi32.dll file, which is already in the directory above.
- Look for the vsapi32.dll file on the target OfficeScan client and copy it into the same directory where VSEncode.exe was copied before.
In a default installation, vsapi32.dll is under C:\Program Files\Trend Micro\OfficeScan client folder.
- Open a command prompt and run the VSencode command:
VSEncode.exe -d /f Quarantined_Filename.vir