Ok, since there is been a considerable number of replies to my original post
(see http://archives.neohapsis.com/archives/ntbugtraq/2004-q4/0142.html) with
requests to notify of resolution or cause, I figured I'd try and post the
findings and resolution for the issue. (Russ sorry if that's against the
rules)...
A quick background on what I've done to try and trap the events and get a
notification as soon as they happen:
I've set up a notification system with the use of WMI and event subscription,
so as soon as the event id 529 or 681 is generated I would get an e-mail
notification. With that in place all left to do was to sit back and wait for
the bells to go off.
Here is the cause for the issue:
JDoe-PC is a windows XP SP2 in DomainB (I have confirmed that the issue is
successfully duplicated from any winXP SP2 pc)
The user JDoe would attempt to insert a jpg file into an MS Word doc when the
error events would generate on the DomainA's DC (don't ask how many times I had
to hear "I wasn't doing anything"). The jpg file is located in a folder which
holds a number of other folders and files (the path to file is
z:\USERS\USERFILES\MYLOGO.JPG). JDoe has the view in windows explorer set to
"thumbnails", and this is the biggy because it does not happen if the view is
set to anything else. The USERFILES folder also contains a folder, let's call
it "MAPPING", which contains shortcuts to the resources on the servers in the
DomainA, and the shortcuts are only used by a special group, members of which
must provide user name and password to connect to those resources (needless to
say JDoe is not a member of that group and has no knowledge of the shortcuts).
So what seems to happen is the following, on JDoe-PC with the view set to
"thumbnails" and using windows explorer navigate to z:\USERS\USERFILES\, as
soon as I land in that directory, I get the error event 681 or 529 notification
in the email.
Now the fact that the MAPPING folder is directly at the root of
z:\USERS\USERFILES\ is also a consideration because if I bury the MAPPING
folder inside another folder for e.g. z:\USERS\USERFILES\testfolder\MAPPING,
then just being in z:\USERS\USERFILES\ does not produce the same effect.
My guess is that windows explorer in xpsp2 attempts to enumerate/scan the
folders in an attempt classify them as either "documents" or "photo album" or
something else (there are a few of them, you can see them all if you
right-click on a folder and select Properties->Customize->"What kind of folder
do you want?" dropdown), then upon encountering a shortcut it tries to follow
it and thus ending up trying to actually connect to the resources that the
shortcuts are pointing to.
So in my case the error messages were actually a good thing, however one could
argue that there is a possible security flaw in the way MS Windows Explorer
tries to classify folders when in thumbnails view. For now I'm too pooped to
think about that, but may not be a bad topic for a discussion.
And the resolution I guess is to either change the view from thumbnails to
something else or to burry the MAPPING folder one or two directories deep.
As a side note, I do realize that my explanation may be confusing, so please
feel free to email me with questions for clarification or follow-up.
Once again thank you everyone who'd responded.
Best regards,
Boris Yakubov
P+W Software, Inc.
(818) 707-7690
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
