How do I identify and remove the infected item(s) WithSecure has detected on a .PST archive (Outlook Data File)?
Follow the steps below to configure the scanning report to show additional information when an email is detected inside an Outlook PST file.
These steps will help you to identify the email so that it can be removed manually after the scanning:
- Open the Registry Editor (regedit.exe)
- Navigate to the following location:
- HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\GKH2\Plug-Ins\F-Secure Capricorn
- Add a new 'String Value' (REG_SZ) with the following information:
- Name: CustomSettings
- Data: mailboxmode=2
- It should look like in this image:
- Other scanning modes available are:
- 0 = none (default, mailbox is not scanned)
- 1 = enable mailbox scanning
- 2 = enable scanning and provide extended report (inside infection name)
- Restart the "F-Secure Ultralight Hoster" service
- net stop fsulhoster
- net start fsulhoster
- (If you are unsure on how to restart a service, just restart the computer)
- Manually scan the PST. The report will now show message-related fields (email subject, folder, attachment name)
- Once the message has been identified, proceed to remove it manually in Outlook:
- Delete the message with [shift-del] (so that it will not be moved to trash).
- Finally follow these steps to compact the PST database:
- Re-scan the .PST archive to ensure all infected items have been removed.
Article no: 000002840