possibly access denied is the primary/secondary action when a threat is found in the OAS, ODS or PUP Deaful, Low Risk or High Risk policy that these hosts receive. Please check it.
(in your reply, please state the type and version of VSE, too)
In certain other situation this error can also be returned, for example see KB60542.
Could you prepare a query for those events so it also contains the following information:
- Threat name
- Threat category
- Event category
- Threat target/source file path (both if exist)
- Action taken
- Event Description
- Analyzer Detection method.
And upload a screenshot and the picture of it here.
The threat target file path suggests that the .lnk could be on a non-local drive such as a remote drive or a CD-ROM, or on an otherwise unwriteable location/position, which might refuse deleting the file ( a .LNK cannot be cleaned just deleted) so it returns an access denied message which may be the response VSE gets and just passes on.
I'm uncertain about that the Blocking tab's configuration relates in some way to the "access denied" that OAS gives when neither of the actions defined can be performed.
I was under the impression that "Blocking" means that whenever there is a threat intorduced on a user's computer in a shared folder, then the "remote user"'s ID who has copied, etc. the file there with be assigned a "No Access" right on the share (for the time limit defined also here).
What is your opinion?