Solved

NOD32 makes recurring 40GB temp file. Need batch file.

Posted on 2010-09-23
8
1,412 Views
Last Modified: 2013-11-22
I upgraded ESET NOD32 from 2.7 to 4.0 on my SBS 2008 server this weekend. Within a couple of hours, Exchange was not working and the computer was freezing. I realized that in less than two hours I had gone from 40GBs of free space on C to < 500MBs, which explained Exchange's not working and other weird behavior. I found a file named NOD7776.tmp, which ironically in my Google search anyway was not found. Plenty of things on NOD777.

I moved the file and deleted it from the C drive and everything was fine. I emailed ESET and tech support told me that indeed it is a known issue and should be fixed in a few weeks with v4.3. I thanked him for letting me know ahead of time.

I then received another email stating quote, "The temp file will reappear, you may want to run a batch file to delete the file daily if you are running out of space on the server until the new release of ESMX 4.3."

So, this leaves me with many questions. How often does it appear. If the batch file runs at 7 am but the temp file is created at 3 am, then Exchange will stop working. How do I know it will "only" be 40GB next time? So, should I create this batch file? Should I uninstall and go back to 2.7 until the new version is out? Should I just turn the AV off on the server?

And, should I write to someone higher up at ESET and ask A) why aren't users being notified, and B) why would you recommend only a week ago that I upgrade knowing that there was a known issue?

The temp file (when it is there) is located at C:\Windows\Temp

If the batch file is possible and would be able to delete the file the moment it is made (I no very little about batch files), then maybe that is doable. So far, it has been 25 hours and no new meter-like temp file.

Thanks in advance.
0
Comment
Question by:Bert2005
  • 5
  • 3
8 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Firstly, yes, you should do something with the guys. Such a failure can be patched in one day.

To prevent from further big temp files, the only way I know of is to run a scheduled task, say every hour, which looks for NOD777*.tmp files and deletes them. The scheduled task command is simply

   cmd /c del c:\Windows\temp\NOD777*.tmp /Q /F
0
 
LVL 1

Author Comment

by:Bert2005
Comment Utility
Thanks Qlemo,

It works great, but I have three questions?

1. Do I schedule it using the Windows scheduler?
2. I tested it by making small NOD7776.tmp files. They were sent to the deleted items folder. Do the deleted items reside on the C: drive?
3. What if a temp file was made by NOD32 that was 50GB? Would it just crash the server so it couldn't even reboot?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
1. Yes
2. The del command does not use a deleted items folder, or trash bin. What it removes cannot be restored (that easy). So I don't get what you are asking here for.
3. Bad luck. Probably the server won't crash, however some running applications might, if there is no free space anymore. If the server is crashing for the same or other reasons (e.g. power failure), it *might* happen that you cannot boot successfully. It never occured to me, because usually some files are removed on boot anyways, allowing for booting.
Since you have *no* way to delete the file on creation, you have to live the risk.
0
 
LVL 1

Author Comment

by:Bert2005
Comment Utility
Hi Qlemo,

Please forgive me. I  hope I do not offend you as your batch file works great. And, maybe making one by using Notepad and naming it NOD7776.tmp doesn't count as the real temp file. I would think it does.

But, when I made that file and put it in the exact same place just to test it out, your delete file worked perfectly, but the file was in the recycle bin. Maybe I am doing something wrong.

Thanks again for all of your time.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:Bert2005
Comment Utility
By the way, what is a temp file. I mean obviously it is a rather unneeded temporary file, but what purpose does it serve? Why would the antivirus program need to make a temp file?

You have basically answered my question and I will close it soon and award you the points. I am just keeping it open to see if anyone from the antivirus world will comment. It just seems too weird because I would think there are thousands of users out there who would have this issue if this is a known problem.
0
 
LVL 1

Author Comment

by:Bert2005
Comment Utility
I put it in the scheduler. Just as an FYI: There are a lot of default triggers that can be used. I scheduled it, but I wonder if any of those apply or if one could be made that says to run this batch file if any file named NOD777*.* is found?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
It's really strange that the delete command should use the trash bin - never had that before. Nevertheless, any files contained there are permanently removed as soon as the space is needed. It should not be an issue hence. It remains being strange.

A temp file is created by AV software if a ZIP (or otherwise compressed) file is being scanned, because scanning requires to unpack it. I assume the issue with NOD is that
  • there is no size limit configured (if that is possible at all),
  • it is trying to scan a very big ZIP file (some archive or backup file for example),
  • is stopped in action because there is no space available anymore,
  • and when interrupting the action does not remove the temp file.
About event/job triggers: There are a lot, and maybe there is even one that fits, but I cannot see any which would be. If you have one or more indicators in the event log, you can use them in the job trigger; but there is no "no space available" message (besides from the server service), and hence a failing service or application will report it. And you don't know which, and what the action is that application/service takes, and whether it logs into event log, ...

For that reason it is best to handle if you just run the job on schedule.
0
 
LVL 1

Author Comment

by:Bert2005
Comment Utility
OK, I think maybe "we" have figured it out. Came in today, and found my free space down to 4GB, then it went to 2GB, then up to 18GBs. I know sounds weird. Server was kind of acting funky, so rebooted, and I had 18.9GBs. I looked for a temp file and found NOD335e.tmp of (coincidence of all coincidences) 18.9GBs. Deleted it, and back in business. I guess we should have made the batch file less specific.

Anyway, after reading your explanation, I think the problem may be solved anyway. My backup program does a zip file backup and allows you to back it up locally, then it moves it to an external SATA drive. The partition is a large one, but still a couple of backups take up most of its space, so there are only two of thee zip files which are about 38GBs apiece. This fits perfectly into your number two scenario.

So, I the F:\ partition, and I doubt we will continue to have the same issue. Thanks a lot. This was driving me crazy. The fix that ESET is probably coming out with is to look at some size limit and/or a report after that it couldn't scan that area.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now