Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Unable to decrypt quarantined files in OfficeScan

    • Updated:
    • 17 Oct 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 2003 Compute Cluster Server
    • Windows 2003 Datacenter Server
    • Windows 2003 Datacenter Server Edition 64-bit
    • Windows 2003 Enterprise Server
    • Windows 2003 Standard Server Edition
    • Windows 2003 Standard Server Edition 64-bit
    • Windows 2003 Storage Server
    • Windows 2003 Web Server Edition
    • Windows 2008 Datacenter Server
    • Windows 2008 Datacenter Server Edition 64-bit
    • Windows 2008 Enterprise Server
    • Windows 2008 Enterprise Server Edition 64-bit
    • Windows 2008 Standard Server Edition
    • Windows 2008 Standard Server Edition 64-bit
    • Windows 2008 Storage Server
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

Decrypting quarantined files from OfficeScan clients is a way to further analyze issues. However, the administrator failed to do so, even after doing the following:

The administrator copied the VSEncrypt Utility from the OfficeScan server by copying the files in the file://osce_server/ofcscan/Admin/Utility/VSEncrypt folder to a local directory on the client, which contains the quarantined files. After that, he opened a command prompt, went to the directory where the files were copied, and entered the following command:

VSEncode.exe -d /f Quarantined_Filename.vir

Where "Quarantined_Filename.vir" contains the full path of the quarantined file.

Checking the VSEncrypt.log file displays the following message:

2010/07/08 11:04:29 [Decryption] successful => Quarantined_Filename.vir decrypted as =>  (The file is already decrypted.)

However, the file was still encrypted and no decrypted file was generated on the disk.

Details
Public

To resolve this issue, make sure that the vsapi32.dll file that is used in the VSEncode.exe utility and the OfficeScan clients have the same version.

 
For example, the vsapi32.dll version, which was included in the file://osce_server/ofcscan/Admin/Utility/VSEncrypt folder, was 8.950.1092. The Scan Engine deployed to the OfficeScan clients was version 9.205.1002.

To successfully decrypt the quarantined files:

  1. Copy only the VSEncode.exe file from the file://osce_server/ofcscan/Admin/Utility/VSEncrypt folder of the OfficeScan server to a local directory on the target client.

    Do not copy the vsapi32.dll file, which is already in the directory above.

  2. Look for the vsapi32.dll file on the target OfficeScan client and copy it into the same directory where VSEncode.exe was copied before.

    In a default installation, vsapi32.dll is under C:\Program Files\Trend Micro\OfficeScan client folder.

  3. Open a command prompt and run the VSencode command:

    VSEncode.exe -d /f Quarantined_Filename.vir

 
A detailed documentation about all the VSencode commands is found in the Online Help of the OfficeScan server management console under Tools > Client Tools > Restore Encrypted Virus.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1057903
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.