Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Reporting a false positive issue that occurs in OfficeScan (OSCE) XG

    • Updated:
    • 17 Oct 2016
    • Product/Version:
    • OfficeScan XG.All
    • Platform:
    • Windows 10
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
Summary

This article discusses how to retrieve samples from OSCE and submit a false positive case when such occurs.

Details
Public

To submit a false positive case:

  1. Sign in to the Support Portal. Or if you are logged in but in eSupport, click My Support found in the header navigation.
  2. On the side navigation, click New Request.
  3. Fill in the Product Profile and Affected Operating System fields. The Request Type field's default is the “Submit a Case” option. There is no need to change it.
  4. Select the appropriate category: Virus False Alarm.
  5. Enter the Scan Engine Version and Virus Pattern Type that OfficeScan is using.
  6. Enter a subject and description to include detection name for your case. It is necessary to include falsely detected files as attachments.
  7. Fill out the Case Urgency, CC Emails, and Contact Method fields.
  8. Click the Submit button.

Based on different detection types, OfficeScan stores detected file in different locations. Refer to the following steps to retrieve a falsely detected file:

In OfficeScan XG, there are several different detection types that offer protection from various threats. If you encounter a false positive, please refer to the detection types below to retrieve samples and submit them to Trend Micro for further analysis:

  1. Identify Detection Name Type. Below is a sample of Virus Scan detection:

    Detection Name Type - Virus Scan

  2. Find samples in the Quarantine Directory:
    • On the server side, go to [Server folder]\PCCSRV\Virus. Samples will be renamed with the host name of detected agent.

      Quarantined Folder - Virus Scan

    • On the agent side, go to [Agent folder]\Suspect\Backup. Samples will be renamed with *.qtn extension.

      Quarantined Folder - Virus Scan 2

  3. For the Restoration Methods and Exception:
    1. Go to Agent > Agent management > Tasks > Central Quarantine Restore.

      Restoration Methods - Virus Scan

       
      Use Central Quarantine Restore will automatically add the detected file to the scan exclusion list.
    2. Use VSEncode.exe:
      • This tool is located in [Server folder]/PCCSRV/Admin/Utility/VSEncrypt.
      • Execute it with parameters in the command window:

        VSEncode.exe /d /f [filename]

        Restoration Methods - Virus Scan 2

       
      Use VSEncode.exe will not add detected files into scan exclusion list. You may need to add it manually to prevent it from being detected again.
  1. Identify Detection Name Type. Below is a sample of Predictive Machine Learning detection.

    Detection Name Type - PML File

    Predictive Machine Learning detection will contain .XXPE or .XXBP in its detection name.

  2. Find samples in the Quarantine Directory. The default is [OfficeScan Server]\PCCSRV\Virus, but this can be configured via the Quarantine Manager. Samples will be renamed with the host name of the detected agent.

    Quarantine Manager

    Quarantine Directory

    On the agent side, go to [Agent folder]\Backup. Samples will be renamed with TSC_GENCLEAN_{Timestamp} with *.dat extension.

    Quarantined Folder - PML File

  3. For the Restoration Methods and Exception:
    1. Go to Agent > Agent management > Tasks > Central Quarantine Restore.

      Restoration Methods - PML File

       
      Use Central Quarantine Restore will automatically add the detected file into scan exclusion list.
    2. Extract it from the quarantined folder and rename the file extension to restore the sample. You may need to set exclusion before manually restoration.
    3. Use VSEncode.exe on the agent side:
      • This tool located in [Server folder]/PCCSRV/Admin/Utility/VSEncrypt.
      • Execute it with parameters in the command window:

        VSEncode.exe /d /f [filename]

        Restoration Methods - Virus Scan 2

         
        Use VSEncode.exe will not add detected files into scan exclusion list. You may need to add it to Predictive Machine Learning exclusion list manually to prevent it from being detected again.
  1. Identify Detection Name Type. Below is an example of Predictive Machine Learning detection:

    Detection Name Type - PML Process

    Predictive Machine Learning detection will contain .XXPE or .XXBP in its detection name.

  2. Find samples in the Quarantine Directory. The default is [OfficeScan Server]\PCCSRV\Virus, but this can be configured via the Quarantine Manager. Samples will be renamed with the host name of the detected agent.

    Quarantine Manager

    Quarantine Directory

    On the agent side, go to [Agent folder]\Backup. Samples will be renamed with TSC_GENCLEAN_{Timestamp} with *.dat extension

    Quarantined Folder - PML Process New

  3. For the Restoration Methods and Exception, check if the sample has been cleaned or not:
    • If the sample was cleaned, go to the quarantine folder and use the VSEncode tool to restore.
    • If the sample was not cleaned, go to the sample location to collect the file.
    • You may need to add it to Predictive Machine Learning exclusion list manually to prevent it from being detected again.
  1. Identify Detection Name Type. Below is an example of malware behavior blocking:

    Detection Name Type - Behavior Monitoring 1

    Detection Name Type - Behavior Monitoring 2

  2. Find samples in the Quarantine Directory:

    On the agent side, go to [Agent folder]\Backup. Samples will be renamed with TSC_GENCLEAN_{Timestamp} with *.dat extension

    Quarantined Folder - Behavior Monitoring

  3. For the Restoration Methods and Exception, check if the sample been cleaned or not:
    • If the sample was cleaned, go to the quarantine folder and use the VSEncode tool to restore.
    • If the sample was not cleaned, go to the sample location to collect the file.
    • You may need to add detected program to Trusted Program list manually to prevent it from being detected again.
  1. Identify Detection Name Type. Below is an example of malware behavior blocking:

    Detection Name Type - Behavior Monitoring ADC

  2. Find sampls in the Quarantine Directory:

    Go to Agent > Agent Management > Tasks > Central Quarantine Restore.

    Restoration Methods - Behavior Monitoring New 1

     
    Use Central Quarantine Restore will automatically add the detected file into scan exclusion list only, thus, you may need to add detected program to Trust Program List manually.
  3. Use VSEncode.exe:
    • This tool is located in [Server folder]/PCCSRV/Admin/Utility/VSEncrypt.
    • Execute it with parameters in the command window:

      VSEncode.exe /d /f [filename]

      Restoration Methods - Behavior Monitoring New 2

     
    Use VSEncode.exe will not add detected files into exclusion list. You may need to add detected program to Trusted Program List manually to prevent it from being detected again.

After retrieving samples, you may refer to the following link for submitting samples: User Guide: New Requests.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1115269
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.