Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1574
  • Last Modified:

NOD32 makes recurring 40GB temp file. Need batch file.

I upgraded ESET NOD32 from 2.7 to 4.0 on my SBS 2008 server this weekend. Within a couple of hours, Exchange was not working and the computer was freezing. I realized that in less than two hours I had gone from 40GBs of free space on C to < 500MBs, which explained Exchange's not working and other weird behavior. I found a file named NOD7776.tmp, which ironically in my Google search anyway was not found. Plenty of things on NOD777.

I moved the file and deleted it from the C drive and everything was fine. I emailed ESET and tech support told me that indeed it is a known issue and should be fixed in a few weeks with v4.3. I thanked him for letting me know ahead of time.

I then received another email stating quote, "The temp file will reappear, you may want to run a batch file to delete the file daily if you are running out of space on the server until the new release of ESMX 4.3."

So, this leaves me with many questions. How often does it appear. If the batch file runs at 7 am but the temp file is created at 3 am, then Exchange will stop working. How do I know it will "only" be 40GB next time? So, should I create this batch file? Should I uninstall and go back to 2.7 until the new version is out? Should I just turn the AV off on the server?

And, should I write to someone higher up at ESET and ask A) why aren't users being notified, and B) why would you recommend only a week ago that I upgrade knowing that there was a known issue?

The temp file (when it is there) is located at C:\Windows\Temp

If the batch file is possible and would be able to delete the file the moment it is made (I no very little about batch files), then maybe that is doable. So far, it has been 25 hours and no new meter-like temp file.

Thanks in advance.
  • 5
  • 3
1 Solution
QlemoC++ DeveloperCommented:
Firstly, yes, you should do something with the guys. Such a failure can be patched in one day.

To prevent from further big temp files, the only way I know of is to run a scheduled task, say every hour, which looks for NOD777*.tmp files and deletes them. The scheduled task command is simply

   cmd /c del c:\Windows\temp\NOD777*.tmp /Q /F
Bert2005Author Commented:
Thanks Qlemo,

It works great, but I have three questions?

1. Do I schedule it using the Windows scheduler?
2. I tested it by making small NOD7776.tmp files. They were sent to the deleted items folder. Do the deleted items reside on the C: drive?
3. What if a temp file was made by NOD32 that was 50GB? Would it just crash the server so it couldn't even reboot?
QlemoC++ DeveloperCommented:
1. Yes
2. The del command does not use a deleted items folder, or trash bin. What it removes cannot be restored (that easy). So I don't get what you are asking here for.
3. Bad luck. Probably the server won't crash, however some running applications might, if there is no free space anymore. If the server is crashing for the same or other reasons (e.g. power failure), it *might* happen that you cannot boot successfully. It never occured to me, because usually some files are removed on boot anyways, allowing for booting.
Since you have *no* way to delete the file on creation, you have to live the risk.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Bert2005Author Commented:
Hi Qlemo,

Please forgive me. I  hope I do not offend you as your batch file works great. And, maybe making one by using Notepad and naming it NOD7776.tmp doesn't count as the real temp file. I would think it does.

But, when I made that file and put it in the exact same place just to test it out, your delete file worked perfectly, but the file was in the recycle bin. Maybe I am doing something wrong.

Thanks again for all of your time.
Bert2005Author Commented:
By the way, what is a temp file. I mean obviously it is a rather unneeded temporary file, but what purpose does it serve? Why would the antivirus program need to make a temp file?

You have basically answered my question and I will close it soon and award you the points. I am just keeping it open to see if anyone from the antivirus world will comment. It just seems too weird because I would think there are thousands of users out there who would have this issue if this is a known problem.
Bert2005Author Commented:
I put it in the scheduler. Just as an FYI: There are a lot of default triggers that can be used. I scheduled it, but I wonder if any of those apply or if one could be made that says to run this batch file if any file named NOD777*.* is found?
QlemoC++ DeveloperCommented:
It's really strange that the delete command should use the trash bin - never had that before. Nevertheless, any files contained there are permanently removed as soon as the space is needed. It should not be an issue hence. It remains being strange.

A temp file is created by AV software if a ZIP (or otherwise compressed) file is being scanned, because scanning requires to unpack it. I assume the issue with NOD is that
  • there is no size limit configured (if that is possible at all),
  • it is trying to scan a very big ZIP file (some archive or backup file for example),
  • is stopped in action because there is no space available anymore,
  • and when interrupting the action does not remove the temp file.
About event/job triggers: There are a lot, and maybe there is even one that fits, but I cannot see any which would be. If you have one or more indicators in the event log, you can use them in the job trigger; but there is no "no space available" message (besides from the server service), and hence a failing service or application will report it. And you don't know which, and what the action is that application/service takes, and whether it logs into event log, ...

For that reason it is best to handle if you just run the job on schedule.
Bert2005Author Commented:
OK, I think maybe "we" have figured it out. Came in today, and found my free space down to 4GB, then it went to 2GB, then up to 18GBs. I know sounds weird. Server was kind of acting funky, so rebooted, and I had 18.9GBs. I looked for a temp file and found NOD335e.tmp of (coincidence of all coincidences) 18.9GBs. Deleted it, and back in business. I guess we should have made the batch file less specific.

Anyway, after reading your explanation, I think the problem may be solved anyway. My backup program does a zip file backup and allows you to back it up locally, then it moves it to an external SATA drive. The partition is a large one, but still a couple of backups take up most of its space, so there are only two of thee zip files which are about 38GBs apiece. This fits perfectly into your number two scenario.

So, I the F:\ partition, and I doubt we will continue to have the same issue. Thanks a lot. This was driving me crazy. The fix that ESET is probably coming out with is to look at some size limit and/or a report after that it couldn't scan that area.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now