Restore Encrypted Files

• Tools > Client Tools > Restore Encrypted Virus

Whenever OfficeScan detects an infected file, it encrypts the file and moves it to the quarantine folder ({Root}\Trend Micro\OfficeScan Client\SUSPECT) on the client computer first, then sends it to the server ({Root}\Trend Micro\OfficeScan\PCCSRV\Virus). OfficeScan encrypts the infected file to prevent users from opening it and spreading the virus/malware to other files on the computer.

However, there may be some situations when you have to open an infected file. If you find an infected document and you need to retrieve the information from it, you will need to decrypt it first.

• Warning: Decrypting an infected file may spread the virus/malware to other files. Trend Micro recommends isolating the computer with infected files by unplugging the network cable and moving important files to a backup location.

The following files are required:

• Main file: VSEncode.exe

• Required DLL files: Vsapi32.dll

This tool provides the following logs:

• VSEncrypt.log: Contains the encryption or decryption details. OfficeScan creates this file automatically in the temp folder for the user logged on the computer (normally, on the C: drive).

• VSEncDbg.log: Contains the debug details. OfficeScan creates this file automatically in the temp folder for the user logged on the computer (normally, on the C: drive) if you run VSEncode.exe with the -debug parameter.

OfficeScan can decrypt the following files:

• Client computer files in the OfficeScan Client\Backup folder, which contains backed up encrypted files cleaned successfully (To decrypt these files, users need to move them to the OfficeScan Client\SUSPECT folder)

• Note: OfficeScan will only back up and encrypt files before cleaning them if you select Backup files before cleaning in Networked Computers > Client Management > Settings > {Scan Type} > Action tab.

• Client computer encrypted files in the OfficeScan Client\SUSPECT folder

• Server computer encrypted files in the OfficeScan\PCCSRV\Virus folder

To restore files in the Suspect folder:

1. On the OfficeScan server, open Windows Explorer and go to the \PCCSRV\Admin\Utility\VSEncrypt folder of OfficeScan.

2. Copy the entire VSEncrypt folder to the client computer.

3. Note: Do not copy the VSEncrypt folder to the OfficeScan folder. The Vsapi32.dll file of Restore Encrypted Virus will conflict with the original Vsapi32.dll.

3. Open a command prompt and go to the location where you copied the VSEncrypt folder.

4. Run Restore Encrypted Virus using the following parameters:

5. no parameter - encrypt files in the Suspect folder

6. -d - decrypt files in the Suspect folder

7. -debug - create debug log and output in the temp folder of the client

8. /o - overwrite encrypted or decrypted file if it already exists

9. /f {filename} - encrypt or decrypt a single file

10. /nr - do not restore original file name

For example, you can type VSEncode [-d] [-debug] to decrypt files in the Suspect folder and create a debug log. When you decrypt or encrypt a file, OfficeScan creates the decrypted or encrypted file in the same folder.

• Note: You may not be able to encrypt or decrypt locked files.

To encrypt or decrypt files in other locations:

1. Create a text file and then type the full path of the files you want to encrypt or decrypt.

For example, to quarantine or restore files in other locations in C:\My Documents\Reports, type C:\My Documents\Reports\*.* in the text file. Then save the text file with an INI or TXT extension, for example, you can save it as ForEncryption.ini on the C: drive.  

2. At a command prompt, run Restore Encrypted Virus by typing VSEncode.exe -d -i {location of the INI or TXT file}, where {location of the INI or TXT file} is the path of the INI or TXT file you created (for example, C:\ForEncryption.ini).