WIndows 10 Pro 64 - SBS 2011 - Trend Micro - WIndows Defender

What type of file is it or files are they?

It deletes exe and dll files from the C:\Program Files (x86)\Label Traxx Client folder

https://labeltraxx.com/?gclid=CPOq96_grNQCFQWLaQodbUYKyw

Hmmmm, I wonder if this is the cause: Windows 10 May Delete Your Programs Without Asking

Hi Wayne,

Thanks for the replies.

I have already seen that article and that is not the reason. If I uninstall reinstall the program. Open it once it works. close it try to reopen it right away the files are are gone and it wont open. I repeat the process several times same results several times, and this has happened on all 4 Windows 10 PC's I installed it on.

Sound like a strange one Vince.  Have you checked if Event Viewer is giving any hints as to what might be happening?

Win + R > eventvwr.msc

Nothing in event viewer.

I am really curious about this:

1. Does it delete all the exe and dll files in that specific folder only?
2. Can you dump some exe and dll files then see if all files of that type also get deleted in that specific folder?
3. Do you notice this problem happening in any other folder?
4. Can you find a time or event pattern to the cause? (e.g. overnight, around noon, or every time the AV scan?)

Let's take it from there for a start.

It deletes exe and dll files from the C:\Program Files (x86)\Label Traxx Client folder ... Open it once it works. close it try to reopen it right away the files are are gone and it wont open

This has peaked my curiosity as well.  Can you try the following please?

Re-install, manually set the Read-only attribute to all of the exe and dll files as soon as the installation completes and "before" you run it for the first time.

Now try to run the program "after" you have set the Read-only attribute on the dll files. Will it run? If not, what error are you getting?

If yes, close and try running again. Any errors appearing, either in the GUI or in event viewer now?

"manually set the Read-only attribute to all of the exe and dll files"

Good suggestion Andrew!

Thanks Wayne.. Seems we're like minded when struck with a mystery like this!

There has to be a way of tracking this down. Sounds bizarre!  

My next suggestion was going to be observing Process Explorer for unusual activity during the first and subsequent runs.

Also, even though exclusions have been added for the files, I would also suggest trying a couple of runs of the software with Defender and Trend Micro "Real-Time" protection disabled completely.

If the problem is being caused by one of those two, you can re-enable and test one at a time to nail down which one is misbehaving.

Finally, please download and run a manual scan with MSRT from Microsoft and let us know if it found anything.  

It also wouldn't hurt to do a scan with an up to date copy of MalwareBytes as well.  It will install alongside other AV's and often catches things an AV might miss.

Btw.. you're not running both Defender and Trend Micro real time protection at the same time are you? That could possibly be an explanation as well.

I'll look in on this a little later once you've had time to do the above tests..

The install is very quick. It is definatley not a virus as these are brand new PC's with fresh installs of windows. and it happened on all 4 PC's I installed it on. I have tried it several times with Trend micro and WIndows Defnder disabled. I will try the read only thing and see what happens.
I disabled Windows Defender in group Policy and I stopped the Trend services.

There is three Trend Micro services 1) Security Agent Listener 2) Security Agent RealTimeScanner 3) Common CLient Solution Framework

It deletes one exe file and 2 dll files

I stop 1 and 2 but the third I cannot stop I am wondering if that is causing. I have set the exe file from the exclusion list in trend.

If you stopped Trend Micro's RealTimeScanner service, then I wouldn't expect it to be the cause. Still.. If ALL the above suggestions fail, I would uninstall Trend Micro on one box and try again after uninstalling Trend so it is totally eliminated as the cause. You can always re-install it.

Are you familiar with the use of Process Explorer by Sysinternals? It can be a large help in trouble shooting a problem like this.

I agree if it's happening on 4 different machines, then it's unlikely to be a virus. Very curious indeed!

How did you go with setting the Read-only attributes on the files test?

I am going to call Label Traxx tomorrow maybe the problem is there program itself. The first time you open the program it forces an update from the server. when the update is complete. the program automatically opens and works. I looked into that programs folders while it was open and working and the exe was already missing. So when I close it and reopen it it can not find the executable files.

I copied the folder before the first time opening it, if I copy the exe back after the first time closing the program and try to reopen it. It still says it cannot find the exe file even though I put it back. So it seems the programs initial update is messing it up. This is the first time I have installed it on Windows 10 we have been using WIndows 7 for the past 3 years with this program. So maybe the problem is with the program and WIndows 10.

I will call Label Traxx tomorrow, I will keep you guys  posted.

Thanks for all your help so far.

Thanks Vince. Will be looking forward to hear what they say the problem is.

"It deletes one exe file and 2 dll files"

Are those all the exe and dll files in the folder?  In other words, is it deleting all exe and dll files in that folder?

Also, if it's Trend Micro deleting it then you should check the Trend Micro log.  I am very sure that it will log what it deleted/quarantined.  Then we will know for sure it's TM.

Why not use NTFS auditing? Auditing will write into the event log so you can find out what user/process is deleting those.

Another idea just occurred to me given that you've said you've always run this software with Windows 7.
Try running it with administrator privileges. Ie: "Right click > Run as Administrator"  
I know it's a long shot, but thought I'd throw it out there.

Also, have you run the Windows 10 Program Compatibility Troubleshooter ?  
"Right click > Troubleshoot Compatibility"

Andrew - I have been running it as admin this whole time, I set compatibility mode to win 7 and windows 8 - ran the troubleshooter it recommended WIndows 8 combat mode. I set the main .exe file to read only and it still gets deleted. It gets deleted right after the forced update when you open the program for the first time.

I scanned the folder with Trend Micro and it did not delete any files or find anything suspicious.

Wayne88 - there are plenty of DLL files but that is the only exe file I see

McKnife - I will look into the NTFS auditing and see.

I tried calling tech support but the company no longer pays for support as they plan on implementing new software in the future.

I think it is the program update causing the problem.

I tend to agree with that conclusion Vince.  Damn shame you can't get to talk to support.  Do you have pre-update version you could try to install? That would confirm or deny the version update idea to the problem.

Hi I think I fixed it, The update must be deleting the files, so I installed the software on WIndows 10 ran the update. Then went to a windows 7

PC that it working and that already has the update. copied the WIndows 7 C:\Program Files\Label Traxx Client folder. to the same location on

the WIndows 10 PC and opened it since it is already updated the update doesn't run and it works.

I also noticed on the WIndows 7 PC it made changes to the Desktop shortcut icon that it didn't make to the WIndows 10 PC Desktop Icon so I copied the WIndows 7 Desktop short cut also and all is good.

So the problem is the updater doesn't work on Windows 10 and I found a work around.

Thank you everyone for your help!

Great job Vince and thanks for sharing the solution.  Cheers!

Hi Wayne I gave you the Assisted solution as copying the folder saved me tons of time and kind of game me the idea of copying the folder from a working Windows 7 PC.

Thanks again everyone!!!

You're welcome and glad to assist.  Have a nice day Vince!

Oops I meant to say Andrew but I gave you assisted solution to for your help also.

Thank you Vince, Andrew is one of the more helpful members on E-E with no egos.  He's a good man! :)  Thanks All!

Great to hear you resolved it Vince and well done for thinking outside of the box to come up with that solution!  

Seemingly impossible problems can often be solved with a little dose of patience and persistence, but most importantly the willingness to try different approaches. I actually enjoyed helping with this.. makes it all the more satisfying when it's finally nailed! :)

And thank you for the compliment Wayne, I really do appreciate it :)

Cheers..

You're a good man Andrew!  Cheers!