Files are renamed as "_invalid" in the OfficeScan (OSCE) server

- Updated:
- 24 Nov 2016
- Product/Version:
- OfficeScan 10.6
- OfficeScan 11.0
- OfficeScan 11.0
- OfficeScan XG
- OfficeScan XG.All
- Platform:
- Windows 10 32-bit
- Windows 10 64-bit
- Windows 2003 Datacenter 64-bit
- Windows 2003 Enterprise
- Windows 2003 Enterprise 64-bit
- Windows 2003 Server R2
- Windows 2003 Standard
- Windows 2003 Standard 64-bit
- Windows 2008 Datacenter
- Windows 2008 Datacenter 64-bit
- Windows 2008 Enterprise
- Windows 2008 Enterprise 64-bit
- Windows 2008 Server Core
- Windows 2008 Server R2 Enterprise
- Windows 2008 Standard
- Windows 2008 Standard 64-bit
- Windows 2008 Web Server Edition
- Windows 2008 Web Server Edition 64-bit
- Windows 2012 Datacenter R2
- Windows 2012 Enterprise
- Windows 2012 Enterprise R2
- Windows 2012 Server Essential R2
- Windows 2012 Server Essentials
- Windows 2012 Standard
- Windows 2012 Standard R2
- Windows 2012 Web Server Edition
- Windows 7 32-Bit
- Windows 7 64-Bit
- Windows 8 32-Bit
- Windows 8 64-Bit
- Windows Vista 32-bit
- Windows Vista 64-bit
- Windows XP Home
- Windows XP Professional
- Windows XP Professional 64-bit

Summary

After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:

04.10.2008 08:35 214.280 ciussi32.dll_Invalid
04.10.2008 08:42 296.200 ciussi64.dll_Invalid
04.08.2010 19:55 343.352 Instreg.exe_Invalid
04.08.2010 19:56 133.232 loadhttp.dll_Invalid
04.08.2010 19:59 211.584 OSCETSCLog.dll_Invalid
04.10.2008 08:35 195.336 PATCH.EXE_Invalid
04.10.2008 08:42 597.768 PATCH64.EXE_Invalid
26.09.2008 22:00 230.752 patchw32.dll_Invalid
18.08.2009 20:25 245.000 patchw64.dll_Invalid
04.08.2010 20:01 75.552 TimeString.dll_Invalid
04.08.2010 20:01 252.712 tmdbg20.dll_Invalid
04.08.2010 20:03 553.472 TmUninst.dll_Invalid
04.08.2010 20:03 100.272 TmUninst.exe_Invalid
29.06.2010 16:07 1.472.776 TmUpdate.dll_Invalid
29.06.2010 16:08 2.618.632 TmUpdate64.dll_Invalid
31.03.2010 17:11 423.688 TSC.exe_Invalid
31.03.2010 17:16 2.304.776 TSC64.exe_Invalid
12.08.2010 15:29 75.616 unzip.dll_Invalid
12.08.2010 15:29 75.608 ZLib.dll_Invalid
19 File(s) 10.420.608 bytes

Users monitored the issue using process monitor and found out that the ofchotfix.exe process started to rename the files on several OfficeScan servers after the upgrade.

Details

This issue happened after implementing OSCE 10.0 Hot Fix 1848, which is included in OSCE 10.0 Patch 1 and later versions.

After applying Hot Fix 1848, the OfficeScan server will start renaming files with invalid digital signature to add a warning message in Microsoft Windows application event log.

This feature was implemented to check the integrity of the files and to ensure that they file is valid by checking the certificate. We use the Windows functionality to check the certificate. This function requires that the Certificate Revocation List (CRL) can receive a response from the Microsoft Certificate server.

If the file signature cannot be validated because the Microsoft Certificate server is not available or cannot be resolved from the user's network, then the file will be renamed to "<filename>_invalid".

If you do not require this feature, then you can disable it. If you require it, then either the CRL needs to be able to collect the response from the Microsoft Certificate server, or an MS certificate server needs to be set up internally on your environment.

To deactivate this feature:

This procedure can be done without any risk as the digital signature feature does not change the content of the files. It only renames them.

Open the ..\PCCSRV\ofcscan.ini file using Notepad or any text editor.
Go to the [INI_SERVER_SECTION] section and look for this parameter:
"CheckDigitalSignatureForHotfix"
Change the value of this parameter from "1" to "0".
Save the changes you made in the ofcscan.ini file on the server.
Restart the OfficeScan Master Service.
Rename all "_invalid" files to their proper names.