I recently started auditing my file server because weird file movements were taking place, as in Folder A would move to within Folder B, where it didn't belong. Since I have started auditing (which, BTW, I announced to the staff) that mysterious movement has stopped. Now, though, when I check my audit log every day I get some weird results. First it was User A logging on at 8:00 PM and 10:00 PM - same times every night - and failing to read files in a protected folder. So last night I waited for User A to go home and then powered down her computer (she usually Locks Workstation) and then I checked the audit log this morning: this time User B logged in at 8 and 10 and reported the same failed access to the same protected folders. One last note: the user's account attempts to open about 8 subfolders of the protected directory at EXACTLY the same time - impossible for a human (or is it?). What the **** is going on?? If this is a virus why did the file movement stop after I announced the auditing? Also, why does the audit log only report the failed access of these directories and no Successful access of other directories (I have both turned on)? What's weirder is that there is really nothing that secretive or important in these folders, they are mainly protected to stop people from moving them around. Can a virus target these specifically?? I know this is a longwinded, ambiguous post, and I apologize. I am really just looking for anyone who has experienced or heard about this situation and can offer some tips to track down more info or a fix... Mesa appreciate any help!! JJW

HI, is this process not some result of a specific service like a backup or maybe a virusscanner running at the times you specified?

www.ghostbusters.com--or something like that I would have to agree that it is some service that is causing it due to the timing as you said, though a virus might also. It is odd though that the file movement stopped after your announcement.

i thought this a most interesting post. A virus scan would be a good idea. I also thought that someone might be running a batch file. perhaps trying to get into other folders and to get a feel for security..?? it might be that person turned the batch file off when they heard about auditing hope this helps(probably not, but good luck)