Views:

Use the QDecrypt tool to manually restore a downloaded file.

WARNING
WARNING
Restoring an infected file can spread the virus/malware to other files and computers. Before restoring the file, isolate the infected endpoint and move important files on this endpoint to a backup location.
Important
Important
The QDecrypt decryption tool only supports Windows.
To manually restore an identified file, you can download the file and the decryption tool, QDecrypt, from Server & Workload Protection to your local machine. If you do not want Anti-Malware scan to detect the file again, make sure to create a scan exception first. Use the following steps to create the exclusion, download the file and tool, and restore the identified file on your local machine.

Procedure

  1. In the Trend Vision One console, access the Server & Workload Protection instance managing the infected endpoint.
  2. Go to Computers and open the details for the affected computer.
  3. Go to Anti-MalwareIdentified Files.
  4. Locate the file you want to restore and click details=6adf47dd-913c-4586-8dcf-b57640800e39.png View to open the Details window.
    Use the filters or advanced search to find the file you want to restore.
  5. Copy the exact file name and original location.
  6. Go to Anti-MalwareGeneral.
  7. Edit the Malware Scan Configuration for each scan type.
    Repeat these steps for Real-Time Scan, Manual Scan, and Scheduled Scan.
    1. Under the scan type you want to configure, locate Malware Scan Configuration and click Edit.
    2. Go to the Exclusions tab.
    3. Enable File List and select a list to edit.
      Note
      Note
      Select New... from the list of file lists if a list does not already exist.
    4. To edit the file list, click Edit.
    5. In the File(s) field, specify the original full file path of the file you want to restore.
      A full file path includes the root drive, all folder names, file name, and file extension. For example:
      C:\Documents\example.doc
    6. Click OK to close the File List.
    7. Click OK to close the Malware Scan Configuration.
  8. Once you have configured all scan types, click Save to apply the exception to the endpoint.
  9. With the computer details screen still open, go to Anti-MalwareIdentified Files.
  10. Select the file you want to restore and click anti_malware_quarantine_file_download=25f7c116-f13e-43b2-85da-522f0ddd848b.png Download.
  11. In the Download guide, click Next.
    Server & Workload Protection prepares the download. Once the download finishes, the Summary appears.
    download-identified-summary=5033c411-28b2-477b-92c7-eeeac2a98176.png
  12. To download the decryption tool, click administration utility.
    Your computer should automatically download QFAdminUtil.zip.
  13. Locate the download package and unzip QFAdminUtil.zip.
  14. Run QDecrypt.
    1. To use the graphical interface, run QDecrypt.exe.
      Follow the steps to select the target encrypted file and where to save the decrypted file.
    2. To use the command line interface, run QDecrypt.com with the following command:
      qdecrypt [/h] [--verbose] /i <str> /o <str>
      Where:
      • /h or --help displays the help message
      • --verbose generates verbose log messages
      • /i <str> or --in=<str> specifies the input encrypted file, where <str> is the file name
      • /o <str> or --out=<str> specifies the output unencrypted file, where <str> is the file name
      If you use the command line interface, for ease of use, move the encrypted file into the same location as the QDecrypt tool.
    The QDecrypt tool generates a decrypted file.