NPS downloads chunks of a PKG into a temp folder, then reassembles them. Modern AV (Bitdefender, Malwarebytes, even Windows Defender's "Controlled Folder Access") sees a program trying to write a massive .pkg file to your drive and says: "That’s ransomware encrypting your documents."
Here is the deep dive into why NPS acts like it’s working but isn't, and how to actually solve it. Most people think NPS downloads from NPS. It doesn't. NPS is just a catalog (a giant .tsv file). It points your client to real servers (TSV, Google Drive, etc.). nopaystation not downloading pkg
The AV blocks the write permission, but doesn't kill the process. NPS gets a "Permission Denied" error, assumes the drive is full, and marks the job as complete to avoid crashing your system. NPS downloads chunks of a PKG into a