File accessed time changed

Hi Samantha, thank you very much!  I need some time to investigate further.   Thank you for the useful whitepaper.  Perhaps you can comment on this:

Using SysInternals procmon, I am seeing that one or two times a day, Dropbox mysteriously chooses perhaps three or four files to do procmon operations of QueryEAFile on the file (say C:\Users\Admin\Dropbox\PITCH.51:COM.DROPBOX.ATTRS) (which BTW returns an INVALID PARAMETER code) and causes Windows Defender (Msmpeng.exe) to open and read the first 26 bytes of the original file (C:\Users\Admin\Dropbox\PITCH.51) and close the file.  This may be what causes the file access time to change.  I have no idea what provoked Dropbox todo the QueryEAFile (see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationfile ) and I am aware many people have complained for years about such files being created and remaining around (not the case here - they do not remain around).  See https://help.dropbox.com/sync/extended-attributes  .

Dropbox always states it's likely a shared folder or syncing to a device that is using a different file system and this is needed to propagate extended attributes from one file system to another.  Fair enough.  But there are no other devices connected to the account (a Free account), everything has been revoked, the password was changed, 2FA was set up, sfc /scannow, chkdsk C: were done, no other anti-virus is running, I went through autoruns with a fine tooth comb and the issue persists and apparently had been going on for months.   I intend to study this, with hopefully your help -- otherwise I am overwhelmed trying to attempt this on another clean install of Windows 10.

Just a few files per day.  It gets more interesting: I will add that at one point I saw on the portal Security settings an Android device which was connected to an ASN router belonging to my ISP and a few miles from my home.  That was strange and smacks of (SWAG) MITM.  It's very challenging to research this and get Spectrum or Dropbox to help.  The natural inclination is: we do a great job and it has to be something on your end.  Understood.  But your help is appreciated and it's in your best interest to take this seriously, which I believe you do.  I deleted that connection and the issue persists.  I have never installed Dropbox on my Android phone.  If I am contacted privately, I will be happy to provide screenshots and more procmon logs.  Either I am being spied on (I have nothing to hide), my Dropbox is compromised/rogue, or my Windows Defender is compromised/rogue.  I will be studying this further. 

I am including a snippet of a procmon log for a file PITCH.51

This is important because Digital Forensics depends on the file access time for monitoring of file integrity and suspicious behaviors.  It is challenging enough to get that last access time correct and interpret it, Dropbox (or Windows defender) just confuse the matter if they are responsible for these (possibly) unnecessary file access updates.

I will continue to update as I learn more. 

Blessings!

Harry

Procmon for pitch.51