2

we're using blat.exe as part of many of our setups on Windows Server 2003 SP2 without any problem to send mails via command line. It's simply great.

Now, some software we are using provides blat.exe as part of their installation.

The problem: from time to time (maybe every 6 months to one year per server), blat.exe is missing. No trace of it can be found anywhere. The virus scanner (McAfee) is not reporting it, I can not find anything about this in any log file.

The vendor is telling us that they have investigated it with filemon and that svchost.exe deletes it. I'm not really planning to use filemon on a large set of servers for an extended time period.

Did anyone of you stumble about this issue and if so, what is the root cause of this? Or do you have any more hints how to find out what is happening? Extensive searches with Google have yielded nothing at all, apart from a virus scan issue.

Thanks!

hensley
  • 21
  • 2

1 Answers1

5

You can turn on file auditing, enabling only delete watching for "Everyone" on that particular file. You might discover at least the account that is responsible, and the process name. You could also try locking down the ntfs delete permissions on that file to only allow your own admin account to make such a change.

I would still lean towards a virus scanning issue not being reported - or maybe the windows "malicious software" check somehow picking it up. Like netcat for keeping network holes open, blat.exe is used by spammers on infected hosts.

Filemon would be overkill and is only good if you are looking for something that's happening when you can control it or seem to know how to trigger it. Sounds like you are already aware that it's a heavy handed approach.

svchost is really just a generic service host and can aid in the launch of a seemingly a hundred different things (Windows Update gets it's marching orders via "C:\Windows\system32\svchost.exe -k netsvcs". Sounds like your vendor hasn't done much homework there.

This will be tricky, hopefully that at least gave you a few pointers on where to go...

Matt
  • 1,903
  • 13
  • 12