[BUG] Corporate AV (ESET) quarantines plugin installs mid-rename — surfaced as bare EBUSY/EPERM, leaves half-installed state
Environment
- Claude Code 2.1.207, native Windows 11 Pro (10.0.26200)
- Corporate-managed ESET Endpoint Security (real-time protection, standard enterprise policy — no local admin control)
Summary
On a Windows machine with ESET real-time protection, claude plugin marketplace add and claude plugin install fail non-deterministically with EBUSY/EPERM: operation not permitted, rename .... The actual cause is the AV scanning/quarantining the freshly downloaded files during the tool's clone→rename step — but nothing in the error output suggests AV involvement, so it reads like a transient file-lock race. We lost roughly an hour retrying before ESET's own notification revealed it was quarantining the content as a threat.
Repro (what we observed)
claude plugin marketplace add trailofbits/skills-curated
→ EPERM: operation not permitted, rename '...\plugins\marketplaces\trailofbits-skills-curated' -> '...\plugins\marketplaces\skills-curated'
→ retry: same failure as EBUSY. The clone completes; the final rename always loses.
claude plugin install superpowers@claude-plugins-official(pinned sha from the official marketplace)
→ EBUSY: resource busy or locked, rename '...\plugins\cache\temp_git_...' -> '...\plugins\cache\claude-plugins-official\superpowers\6.1.1' — reproducible on every attempt (3/3).
- Meanwhile
pyright-lsp@claude-plugins-officialinstalled cleanly — the interference is content-dependent, consistent with AV signature/heuristic hits (the ToB marketplace repo vendors genuine pentest-content skills; superpowers ships lifecycle-hook scripts). - Failed installs leave
temp_git_*directories inplugins/cache/that cannot be moved or deleted while the AV holds handles (Permission denied), plus (in an earlier case on this machine) a plugin recorded inenabledPluginsin settings.json without an entry ininstalled_plugins.json— an "enabled but not installed" zombie.
Why this is worth fixing in the installer (independent of any AV vendor)
AV-scan-during-rename is endemic on corporate Windows; ESET is just today's instance (see also #63470 for Norton TLS interception, #67800 for Smart App Control — same class of problem: security software interference surfacing as cryptic failures).
Suggested improvements:
- Detect the pattern and say so. Repeated
EBUSY/EPERMon renaming a freshly downloaded directory is a strong AV signal. A hint like "Your antivirus may be scanning or quarantining the downloaded files — check its detection log" would have saved the debugging session. - Retry the final rename with backoff (or copy-then-delete as fallback). The clone itself succeeds every time; only the rename races the scanner.
- Clean up on failure. Remove
temp_git_*leftovers (best-effort, they may be AV-locked — then say so) and never leaveenabledPlugins/installed_plugins.jsondisagreeing. - Consider per-plugin sparse fetch for marketplace installs. Installing one benign markdown-only plugin from
trailofbits/skills-curatedcurrently materializes the entire marketplace repo — including security-testing skills (ffuf, exploit-methodology content) that corporate AVs will flag even though the user never asked for them. Fetching only the requested plugin's directory would shrink the AV attack surface dramatically.
ESET detection details
The local ESET logs are encrypted; detection name(s) per the GUI: _[to be added — ESET → Tools → Log files → Detections]_
Resolution on our side
Dropped the flagged plugins (no AV workarounds on a managed device); kept pyright-lsp + frontend-design which install and run untouched.