|
|
|
|
Important: Decrypting an infected file may spread the virus/malware to other files. Trend Micro recommends isolating the computer with infected files by unplugging the network cable and moving important files to a backup location.
|
| |
|
This procedure requires the following files:
|
|
•
|
Main file: VSEncode.exe
|
|
•
|
Required DLL files: Vsapi32.dll
|
| |
|
This tool provides the following logs:
|
|
•
|
VSEncrypt.log: Contains the encryption or decryption details. OfficeScan creates this file automatically in the temp folder for the user logged on the computer (normally, on the C: drive).
|
|
•
|
VSEncDbg.log: Contains the debug details. OfficeScan creates this file automatically in the temp folder for the user logged on the computer (normally, on the C: drive) if you run VSEncode.exe with the -debug parameter.
|
| |
|
OfficeScan can decrypt the following files:
|
|
•
|
Client computer files in the OfficeScan Client\Backup folder.
|
| |
This folder contains backed up encrypted files cleaned successfully (To decrypt these files, users need to move them to the OfficeScan Client\SUSPECT folder.)
|
| |
|
| |
Note: OfficeScan will only back up and encrypt files before cleaning them if you select Backup files before cleaning in Networked Computers > Client Management > Settings > {Scan Type} >Action tab.
|
| |
|
|
•
|
Client computer encrypted files in the OfficeScan Client\SUSPECT folder
|
|
•
|
Server computer encrypted files in the OfficeScan\PCCSRV\Virus folder.
|
| |
| |
|
To restore files in the Suspect folder:
|
|
1.
|
On the OfficeScan server, open Windows Explorer and go to the \PCCSRV\Admin\Utility\VSEncrypt folder of OfficeScan.
|
| |
|
|
2.
|
Copy the entire VSEncrypt folder to the client computer.
|
| |
|
| |
Note: Do not copy the VSEncrypt folder to the OfficeScan folder. The Vsapi32.dll file of Restore Encrypted Virus will conflict with the original Vsapi32.dll.
|
| |
|
|
3.
|
Open a command prompt and go to the location where you copied the VSEncrypt folder.
|
| |
|
|
4.
|
Run Restore Encrypted Virus using the following parameters:
|
| |
•
|
no parameter - encrypt files in the Suspect folder
|
| |
•
|
-d - decrypt files in the Suspect folder
|
| |
•
|
-debug - create debug log and output in the temp folder of the client
|
| |
•
|
/o - overwrite encrypted or decrypted file if it already exists
|
| |
•
|
/f {filename} - encrypt or decrypt a single file
|
| |
•
|
/nr - do not restore original file name
|
| |
|
| |
For example, you can type "VSEncode [-d] [-debug]" to decrypt files in the Suspect folder and create a debug log. When you decrypt or encrypt a file, OfficeScan creates the decrypted or encrypted file in the same folder.
|
| |
|
| |
Note: You may not be able to encrypt or decrypt locked files.
|
| |
| |
|
To encrypt or decrypt files in other locations:
|
|
1.
|
Create a text file and then type the full path of the files you want to encrypt or decrypt.
|
| |
|
| |
For example: To quarantine or restore files in other locations in C:\My Documents\Reports, type C:\My Documents\Reports\*.* in the text file. Save the text file with an INI or TXT extension, for example, you can save it as ForEncryption.ini on the C: drive.
|
| |
|
|
2.
|
At a command prompt, run Restore Encrypted Virus by typing "VSEncode.exe -d -i {location of the INI or TXT file}", where {location of the INI or TXT file} is the path of the INI or TXT file you created (for example, C:\ForEncryption.ini).
|