Restore Encrypted Files

Whenever OfficeScan detects an infected file, it encrypts the file and moves it to the quarantine folder ({Root}\Trend Micro\OfficeScan Client\SUSPECT) on the client computer first, then sends it to the server ({Root}\Trend Micro\OfficeScan\PCCSRV\Virus). OfficeScan encrypts the infected file to prevent users from opening it and spreading the virus/malware to other files on the computer.

However, there may be some situations when you have to open an infected file. If you find an infected document and you need to retrieve the information from it, you will need to decrypt it first.

The following files are required:

This tool provides the following logs:

OfficeScan can decrypt the following files:

To restore files in the Suspect folder:

  1. On the OfficeScan server, open Windows Explorer and go to the \PCCSRV\Admin\Utility\VSEncrypt folder of OfficeScan.

  2. Copy the entire VSEncrypt folder to the client computer.

  3. Note: Do not copy the VSEncrypt folder to the OfficeScan folder. The Vsapi32.dll file of Restore Encrypted Virus will conflict with the original Vsapi32.dll.

  1. Open a command prompt and go to the location where you copied the VSEncrypt folder.

  2. Run Restore Encrypted Virus using the following parameters:

  3. no parameter - encrypt files in the Suspect folder

  4. -d - decrypt files in the Suspect folder

  5. -debug - create debug log and output in the temp folder of the client

  6. /o - overwrite encrypted or decrypted file if it already exists

  7. /f {filename} - encrypt or decrypt a single file

  8. /nr - do not restore original file name

For example, you can type VSEncode [-d] [-debug] to decrypt files in the Suspect folder and create a debug log. When you decrypt or encrypt a file, OfficeScan creates the decrypted or encrypted file in the same folder.

To encrypt or decrypt files in other locations:

  1. Create a text file and then type the full path of the files you want to encrypt or decrypt.

For example, to quarantine or restore files in other locations in C:\My Documents\Reports, type C:\My Documents\Reports\*.* in the text file. Then save the text file with an INI or TXT extension, for example, you can save it as ForEncryption.ini on the C: drive.  

  1. At a command prompt, run Restore Encrypted Virus by typing VSEncode.exe -d -i {location of the INI or TXT file}, where {location of the INI or TXT file} is the path of the INI or TXT file you created (for example, C:\ForEncryption.ini).