After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:
04.10.2008 08:35 214.280 ciussi32.dll_Invalid
04.10.2008 08:42 296.200 ciussi64.dll_Invalid
04.08.2010 19:55 343.352 Instreg.exe_Invalid
04.08.2010 19:56 133.232 loadhttp.dll_Invalid
04.08.2010 19:59 211.584 OSCETSCLog.dll_Invalid
04.10.2008 08:35 195.336 PATCH.EXE_Invalid
04.10.2008 08:42 597.768 PATCH64.EXE_Invalid
26.09.2008 22:00 230.752 patchw32.dll_Invalid
18.08.2009 20:25 245.000 patchw64.dll_Invalid
04.08.2010 20:01 75.552 TimeString.dll_Invalid
04.08.2010 20:01 252.712 tmdbg20.dll_Invalid
04.08.2010 20:03 553.472 TmUninst.dll_Invalid
04.08.2010 20:03 100.272 TmUninst.exe_Invalid
29.06.2010 16:07 1.472.776 TmUpdate.dll_Invalid
29.06.2010 16:08 2.618.632 TmUpdate64.dll_Invalid
31.03.2010 17:11 423.688 TSC.exe_Invalid
31.03.2010 17:16 2.304.776 TSC64.exe_Invalid
12.08.2010 15:29 75.616 unzip.dll_Invalid
12.08.2010 15:29 75.608 ZLib.dll_Invalid
19 File(s) 10.420.608 bytes
Users monitored the issue using process monitor and found out that the ofchotfix.exe process started to rename the files on several OfficeScan servers after the upgrade.
This issue happened after implementing OSCE 10.0 Hot Fix 1848, which is included in OSCE 10.0 Patch 1 and later versions.
After applying Hot Fix 1848, the OfficeScan server will start renaming files with invalid digital signature to add a warning message in Microsoft Windows application event log.
This feature was implemented to check the integrity of the files and to ensure that they file is valid by checking the certificate. We use the Windows functionality to check the certificate. This function requires that the Certificate Revocation List (CRL) can receive a response from the Microsoft Certificate server.
If the file signature cannot be validated because the Microsoft Certificate server is not available or cannot be resolved from the user's network, then the file will be renamed to "<filename>_invalid".
If you do not require this feature, then you can disable it. If you require it, then either the CRL needs to be able to collect the response from the Microsoft Certificate server, or an MS certificate server needs to be set up internally on your environment.
To deactivate this feature:
- Open the ..\PCCSRV\ofcscan.ini file using Notepad or any text editor.
- Go to the [INI_SERVER_SECTION] section and look for this parameter:
"CheckDigitalSignatureForHotfix"
- Change the value of this parameter from "1" to "0".
- Save the changes you made in the ofcscan.ini file on the server.
- Restart the OfficeScan Master Service.
- Rename all "_invalid" files to their proper names.