All
Does anyone know what program might be blocking the ability to run or copy
"setup.exe" from remote drives yet allow you to copy a bit-for-bit identical
copy named XXsetupXX.ZIP, rename it (locally) to "setup.exe", and run it
locally?
System in question is an XP SP2 box running McAfee VirusScan Corporate v7 and
McAfee VS 8.0.x on both a Windows 2000 server and another Windows XP
workstation. The VS8 access-protection log does NOT block actions and the log
file doesn't show it interfering with copying the file.
This cost my client an hour or so of my time this morning; the system is not
"mine" but is maintained by someone providing GPS-in-golf-carts to a golf
course, and I'm involved because we've interfaced the GPS to some golf-tourney
software by a third-party ...
I disabled OnAccess scanning and still couldn't copy the file:
------- Included Stuff Follows -------
C:\TEMP> dir v:\downloads\*setup*
01/04/2008 08:43 AM 5,407,371 setup.exe
01/04/2008 08:43 AM 5,407,371 XXsetupXX.ZIP
C:\TEMP> copy v:\downloads\setup.exe
Access is denied.
0 file(s) copied.
C:\TEMP> copy v:\Downloads\XXsetupXX.ZIP
1 file(s) copied.
--------- Included Stuff Ends ---------
Running processes on the system which can't copy files, as shown by PSList:
------- Included Stuff Follows -------
PsList 1.23 - Process Information Lister
Copyright (C) 1999-2002 Mark Russinovich
Sysinternals - www.sysinternals.com
Process memory detail for basestation:
Name Pid VM WS WS Pk Priv Faults NonP Page PageFile
Idle 0 0 16 0 0 0 0 0 0
System 4 1876 212 2020 28 6530 0 0 0
smss 604 3544 352 448 144 220 0 5 144
csrss 668 26236 2464 3868 1712 4840 5 54 1712
winlogon 692 60340 1508 11992 9372 13253 31 64 9372
services 736 36608 5188 5188 2024 1860 7 39 2024
lsass 748 41724 7268 7348 3944 2984 9 40 3944
svchost 908 62500 5120 5164 2796 1618 6 39 2796
svchost 984 34704 4128 4136 1740 1212 13 37 1740
svchost 1072 97696 21236 31520 13256 25442 52 108 13256
svchost 1108 29768 3248 3272 1232 908 3 29 1232
svchost 1272 37484 4320 4320 1864 1633 5 36 1864
spoolsv 1420 41388 4652 4660 3052 1322 4 39 3052
AWHOST32 1528 192632 8988 10248 3880 7750 8 170 3880
OPHALDCS 1564 12868 1352 1364 340 341 1 32 340
ibguard 1676 27372 2652 2888 664 989 2 26 664
ibserver 1732 55040 16124 16360 12948 51532 8 32 12948
ramaint 1760 29408 3148 3156 1084 804 2 30 1084
LogMeIn 1812 74108 9904 9932 8888 13228 38 57 8888
FrameworkSe 1960 50460 6928 7192 3408 7026 6 43 3408
Mcshield 1980 106884 53628 57396 52436 116407 8 38 52436
VsTskMgr 2012 47876 316 4012 3868 2366 4 34 3868
naPrdMgr 2020 42608 984 3272 3408 2312 3 38 3408
TAService 256 60584 8608 8712 3708 7253 38 46 3708
WinVNC 440 37480 3396 3632 1036 1182 4 29 1036
AdLinkServi 524 101508 16784 16784 11680 4988 8 53 11680
alg 2152 32636 3452 3460 1120 899 5 35 1120
explorer 3016 62088 17848 18224 12324 20045 7 55 12324
hkcmd 3300 30204 3784 4020 1480 1140 3 31 1480
shstat 3308 40780 1860 3772 3452 3860 3 35 3452
UpdaterUI 3352 38876 220 4048 1100 19373 3 37 1100
LogMeInSyst 1432 41716 5520 9884 2036 3957 4 42 2036
GEMService 2432 87424 6380 6468 3448 5953 45 41 3448
Tracker 2876 65412 35080 61840 30372 16913 4 35 30372
PersistentS 3660 37436 4932 5048 1380 1653 4 32 1380
TIM 3676 28572 3056 3292 772 958 2 28 772
PinPlacemen 3792 27432 5200 7344 1816 4008 4 23 1816
RecorderUti 2956 32140 3764 3880 932 1065 3 31 932
Logger 3424 29324 3304 3532 752 1110 3 30 752
Upgrader 2536 36852 4604 7324 1236 3264 4 33 1236
OrderLink 3236 32888 4388 4504 1172 1311 6 32 1172
VPTMC 3564 39316 2224 5372 1572 2157 6 34 1572
VPGolf3 3936 201312 5552 22344 13316 464665 9 81 13316
--------- Included Stuff Ends ---------
ibguard and ibserver are parts of Interbase Server, which is installed on the
system, not some sort of protection system.
TIA for any ideas...
Angus
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
