restore_encrypted_virus

Restoring an Encrypted Virus

Security Agents and Messaging Security Agents encrypt infected files and attachments to prevent users from opening them and spreading virus/malware to other files on the client.

Whenever a Security Agent backs up, quarantines, or renames an infected file, it encrypts the file. The quarantined file is stored in the \Suspect folder on the client, and then sent to the quarantine directory. The backup file is stored in the \Backup folder of the client, typically in C:\Program Files\Trend Micro\Client Server Security Agent\Backup\. Whenever Messaging Security Agent backs up, quarantines, or archives an email message or attachment, it encrypts the file and stores it in the MSA storage folder, typically in C:\Program Files\Trend Micro\Messaging Security Agent\storage\.

However, there may be some situations when you have to open the file even if you know it is infected. For example, if an important document has been infected and you need to retrieve the information from the document, you will need to decrypt the infected file to retrieve your information. You can use Restore Encrypted Virus to decrypt infected files from which you want to open.

Restore Encrypted Virus requires the following files:

Using the Graphical Interface

To restore files in the Suspect folder from the command line:

  1. Go to the folder where the tool is located (for example: c:\VSEncrypt) and enter VSEncode.exe /u.

  2. Select the file to restore.

  3. Click Restore.

Using the Command Line Interface

To restore files in the Suspect folder from the command line:

  1. Copy VSEncrypt from the Security Server to the client:

  2. \PCCSRV\Admin\Utility\VSEncrypt.

  3. Open a command prompt and go to the location where you copied the VSEncrypt folder.

  4. Run Restore Encrypted Virus using the following parameters:

For example, you can type VSEncode [-d] [-debug] to decrypt files in the Quarantine folder and create a debug log. When you decrypt or encrypt a file, the decrypted or encrypted file is created in the same folder.

Restore Encrypted Virus provides the following logs:

To encrypt or decrypt files in other locations:

  1. Create a text file and then type the full path of the files you want to encrypt or decrypt.

  2. For example, if you want to encrypt or decrypt files in C:\My Documents\
    Reports
    , type C:\My Documents\Reports\*.* in the text file. Then save the text file with an INI or TXT extension, for example, you can save it as ForEncryption.ini on the C: drive.

  3. At a command prompt, run Restore Encrypted Virus by typing
    VSEncode.exe -d -i {location of the INI or TXT file}, where {location of the INI or TXT file} is the path and file name of the INI or TXT file you created (for example, C:\ForEncryption.ini).

Restoring Transport Neutral Encapsulation Format Email Messages

Transport Neutral Encapsulation Format (TNEF) is a message encapsulation format used by Microsoft Exchange/Outlook. Usually this format is packed as an email attachment named Winmail.dat and Outlook Express hides this attachment automatically. See

http://support.microsoft.com/kb/241538/en-us

If MSA archives this kind of email, and the extension of the file is changed to .EML, Outlook Express will only display the body of the email message.

See also: