Solved

NOD32 makes recurring 40GB temp file. Need batch file.

Posted on 2010-09-23
8
1,475 Views
Last Modified: 2013-11-22
I upgraded ESET NOD32 from 2.7 to 4.0 on my SBS 2008 server this weekend. Within a couple of hours, Exchange was not working and the computer was freezing. I realized that in less than two hours I had gone from 40GBs of free space on C to < 500MBs, which explained Exchange's not working and other weird behavior. I found a file named NOD7776.tmp, which ironically in my Google search anyway was not found. Plenty of things on NOD777.

I moved the file and deleted it from the C drive and everything was fine. I emailed ESET and tech support told me that indeed it is a known issue and should be fixed in a few weeks with v4.3. I thanked him for letting me know ahead of time.

I then received another email stating quote, "The temp file will reappear, you may want to run a batch file to delete the file daily if you are running out of space on the server until the new release of ESMX 4.3."

So, this leaves me with many questions. How often does it appear. If the batch file runs at 7 am but the temp file is created at 3 am, then Exchange will stop working. How do I know it will "only" be 40GB next time? So, should I create this batch file? Should I uninstall and go back to 2.7 until the new version is out? Should I just turn the AV off on the server?

And, should I write to someone higher up at ESET and ask A) why aren't users being notified, and B) why would you recommend only a week ago that I upgrade knowing that there was a known issue?

The temp file (when it is there) is located at C:\Windows\Temp

If the batch file is possible and would be able to delete the file the moment it is made (I no very little about batch files), then maybe that is doable. So far, it has been 25 hours and no new meter-like temp file.

Thanks in advance.
0
Comment
Question by:Bert2005
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 33751547
Firstly, yes, you should do something with the guys. Such a failure can be patched in one day.

To prevent from further big temp files, the only way I know of is to run a scheduled task, say every hour, which looks for NOD777*.tmp files and deletes them. The scheduled task command is simply

   cmd /c del c:\Windows\temp\NOD777*.tmp /Q /F
0
 
LVL 1

Author Comment

by:Bert2005
ID: 33756682
Thanks Qlemo,

It works great, but I have three questions?

1. Do I schedule it using the Windows scheduler?
2. I tested it by making small NOD7776.tmp files. They were sent to the deleted items folder. Do the deleted items reside on the C: drive?
3. What if a temp file was made by NOD32 that was 50GB? Would it just crash the server so it couldn't even reboot?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 33758703
1. Yes
2. The del command does not use a deleted items folder, or trash bin. What it removes cannot be restored (that easy). So I don't get what you are asking here for.
3. Bad luck. Probably the server won't crash, however some running applications might, if there is no free space anymore. If the server is crashing for the same or other reasons (e.g. power failure), it *might* happen that you cannot boot successfully. It never occured to me, because usually some files are removed on boot anyways, allowing for booting.
Since you have *no* way to delete the file on creation, you have to live the risk.
0
Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

 
LVL 1

Author Comment

by:Bert2005
ID: 33758810
Hi Qlemo,

Please forgive me. I  hope I do not offend you as your batch file works great. And, maybe making one by using Notepad and naming it NOD7776.tmp doesn't count as the real temp file. I would think it does.

But, when I made that file and put it in the exact same place just to test it out, your delete file worked perfectly, but the file was in the recycle bin. Maybe I am doing something wrong.

Thanks again for all of your time.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 33758818
By the way, what is a temp file. I mean obviously it is a rather unneeded temporary file, but what purpose does it serve? Why would the antivirus program need to make a temp file?

You have basically answered my question and I will close it soon and award you the points. I am just keeping it open to see if anyone from the antivirus world will comment. It just seems too weird because I would think there are thousands of users out there who would have this issue if this is a known problem.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 33758877
I put it in the scheduler. Just as an FYI: There are a lot of default triggers that can be used. I scheduled it, but I wonder if any of those apply or if one could be made that says to run this batch file if any file named NOD777*.* is found?
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 33759948
It's really strange that the delete command should use the trash bin - never had that before. Nevertheless, any files contained there are permanently removed as soon as the space is needed. It should not be an issue hence. It remains being strange.

A temp file is created by AV software if a ZIP (or otherwise compressed) file is being scanned, because scanning requires to unpack it. I assume the issue with NOD is that
  • there is no size limit configured (if that is possible at all),
  • it is trying to scan a very big ZIP file (some archive or backup file for example),
  • is stopped in action because there is no space available anymore,
  • and when interrupting the action does not remove the temp file.
About event/job triggers: There are a lot, and maybe there is even one that fits, but I cannot see any which would be. If you have one or more indicators in the event log, you can use them in the job trigger; but there is no "no space available" message (besides from the server service), and hence a failing service or application will report it. And you don't know which, and what the action is that application/service takes, and whether it logs into event log, ...

For that reason it is best to handle if you just run the job on schedule.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 33765508
OK, I think maybe "we" have figured it out. Came in today, and found my free space down to 4GB, then it went to 2GB, then up to 18GBs. I know sounds weird. Server was kind of acting funky, so rebooted, and I had 18.9GBs. I looked for a temp file and found NOD335e.tmp of (coincidence of all coincidences) 18.9GBs. Deleted it, and back in business. I guess we should have made the batch file less specific.

Anyway, after reading your explanation, I think the problem may be solved anyway. My backup program does a zip file backup and allows you to back it up locally, then it moves it to an external SATA drive. The partition is a large one, but still a couple of backups take up most of its space, so there are only two of thee zip files which are about 38GBs apiece. This fits perfectly into your number two scenario.

So, I the F:\ partition, and I doubt we will continue to have the same issue. Thanks a lot. This was driving me crazy. The fix that ESET is probably coming out with is to look at some size limit and/or a report after that it couldn't scan that area.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
robocopy script with data and file filter restrictions 3 59
Removing local admin rights 4 31
Windows 8 recovery issue 12 45
two workstations infected with armsvc.exe 7 38
AutoHotkey is an excellent, free, open source programming/scripting language for Windows. It started out as a keyboard/mouse macros product, but has expanded into a robust language. This article provides an introduction to it, with links to addition…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question