Virus/Malware Scan Actions

The scan action OfficeScan performs depends on the virus/malware type and the scan type that detected the virus/malware. For example, when OfficeScan detects a Trojan horse program (virus/malware type) during Manual Scan (scan type), it cleans (action) the infected file.

The following are the actions OfficeScan can perform against viruses/malware:

Table 1. Virus/Malware Scan Actions




OfficeScan deletes the infected file.


OfficeScan renames and then moves the infected file to a temporary quarantine directory on the client computer located in <Client installation folder>\Suspect.

The OfficeScan client then sends quarantined files to the designated quarantine directory.

The default quarantine directory is on the OfficeScan server, under <Server installation file>\PCCSRV\Virus. OfficeScan encrypts quarantined files sent to this directory.

If you need to restore any of the quarantined files, use the VSEncrypt tool.


OfficeScan cleans the infected file before allowing full access to the file.

If the file is uncleanable, OfficeScan performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass.

This action can be performed on all types of malware except probable virus/malware.


OfficeScan changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application.

The virus/malware may execute when opening the renamed infected file.


OfficeScan can only use this scan action when it detects any type of virus during Manual Scan, Scheduled Scan, and Scan Now. OfficeScan cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected will allow virus/malware to execute. All the other scan actions can be used during Real-time Scan.

Deny Access

This scan action can only be performed during Real-time Scan. When OfficeScan detects an attempt to open or execute an infected file, it immediately blocks the operation.

Users can manually delete the infected file.