NOD32 makes recurring 40GB temp file. Need batch file.

Posted on 2010-09-23
Medium Priority
Last Modified: 2013-11-22
I upgraded ESET NOD32 from 2.7 to 4.0 on my SBS 2008 server this weekend. Within a couple of hours, Exchange was not working and the computer was freezing. I realized that in less than two hours I had gone from 40GBs of free space on C to < 500MBs, which explained Exchange's not working and other weird behavior. I found a file named NOD7776.tmp, which ironically in my Google search anyway was not found. Plenty of things on NOD777.

I moved the file and deleted it from the C drive and everything was fine. I emailed ESET and tech support told me that indeed it is a known issue and should be fixed in a few weeks with v4.3. I thanked him for letting me know ahead of time.

I then received another email stating quote, "The temp file will reappear, you may want to run a batch file to delete the file daily if you are running out of space on the server until the new release of ESMX 4.3."

So, this leaves me with many questions. How often does it appear. If the batch file runs at 7 am but the temp file is created at 3 am, then Exchange will stop working. How do I know it will "only" be 40GB next time? So, should I create this batch file? Should I uninstall and go back to 2.7 until the new version is out? Should I just turn the AV off on the server?

And, should I write to someone higher up at ESET and ask A) why aren't users being notified, and B) why would you recommend only a week ago that I upgrade knowing that there was a known issue?

The temp file (when it is there) is located at C:\Windows\Temp

If the batch file is possible and would be able to delete the file the moment it is made (I no very little about batch files), then maybe that is doable. So far, it has been 25 hours and no new meter-like temp file.

Thanks in advance.
Question by:Bert2005
  • 5
  • 3
LVL 72

Expert Comment

ID: 33751547
Firstly, yes, you should do something with the guys. Such a failure can be patched in one day.

To prevent from further big temp files, the only way I know of is to run a scheduled task, say every hour, which looks for NOD777*.tmp files and deletes them. The scheduled task command is simply

   cmd /c del c:\Windows\temp\NOD777*.tmp /Q /F

Author Comment

ID: 33756682
Thanks Qlemo,

It works great, but I have three questions?

1. Do I schedule it using the Windows scheduler?
2. I tested it by making small NOD7776.tmp files. They were sent to the deleted items folder. Do the deleted items reside on the C: drive?
3. What if a temp file was made by NOD32 that was 50GB? Would it just crash the server so it couldn't even reboot?
LVL 72

Expert Comment

ID: 33758703
1. Yes
2. The del command does not use a deleted items folder, or trash bin. What it removes cannot be restored (that easy). So I don't get what you are asking here for.
3. Bad luck. Probably the server won't crash, however some running applications might, if there is no free space anymore. If the server is crashing for the same or other reasons (e.g. power failure), it *might* happen that you cannot boot successfully. It never occured to me, because usually some files are removed on boot anyways, allowing for booting.
Since you have *no* way to delete the file on creation, you have to live the risk.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.


Author Comment

ID: 33758810
Hi Qlemo,

Please forgive me. I  hope I do not offend you as your batch file works great. And, maybe making one by using Notepad and naming it NOD7776.tmp doesn't count as the real temp file. I would think it does.

But, when I made that file and put it in the exact same place just to test it out, your delete file worked perfectly, but the file was in the recycle bin. Maybe I am doing something wrong.

Thanks again for all of your time.

Author Comment

ID: 33758818
By the way, what is a temp file. I mean obviously it is a rather unneeded temporary file, but what purpose does it serve? Why would the antivirus program need to make a temp file?

You have basically answered my question and I will close it soon and award you the points. I am just keeping it open to see if anyone from the antivirus world will comment. It just seems too weird because I would think there are thousands of users out there who would have this issue if this is a known problem.

Author Comment

ID: 33758877
I put it in the scheduler. Just as an FYI: There are a lot of default triggers that can be used. I scheduled it, but I wonder if any of those apply or if one could be made that says to run this batch file if any file named NOD777*.* is found?
LVL 72

Accepted Solution

Qlemo earned 2000 total points
ID: 33759948
It's really strange that the delete command should use the trash bin - never had that before. Nevertheless, any files contained there are permanently removed as soon as the space is needed. It should not be an issue hence. It remains being strange.

A temp file is created by AV software if a ZIP (or otherwise compressed) file is being scanned, because scanning requires to unpack it. I assume the issue with NOD is that
  • there is no size limit configured (if that is possible at all),
  • it is trying to scan a very big ZIP file (some archive or backup file for example),
  • is stopped in action because there is no space available anymore,
  • and when interrupting the action does not remove the temp file.
About event/job triggers: There are a lot, and maybe there is even one that fits, but I cannot see any which would be. If you have one or more indicators in the event log, you can use them in the job trigger; but there is no "no space available" message (besides from the server service), and hence a failing service or application will report it. And you don't know which, and what the action is that application/service takes, and whether it logs into event log, ...

For that reason it is best to handle if you just run the job on schedule.

Author Comment

ID: 33765508
OK, I think maybe "we" have figured it out. Came in today, and found my free space down to 4GB, then it went to 2GB, then up to 18GBs. I know sounds weird. Server was kind of acting funky, so rebooted, and I had 18.9GBs. I looked for a temp file and found NOD335e.tmp of (coincidence of all coincidences) 18.9GBs. Deleted it, and back in business. I guess we should have made the batch file less specific.

Anyway, after reading your explanation, I think the problem may be solved anyway. My backup program does a zip file backup and allows you to back it up locally, then it moves it to an external SATA drive. The partition is a large one, but still a couple of backups take up most of its space, so there are only two of thee zip files which are about 38GBs apiece. This fits perfectly into your number two scenario.

So, I the F:\ partition, and I doubt we will continue to have the same issue. Thanks a lot. This was driving me crazy. The fix that ESET is probably coming out with is to look at some size limit and/or a report after that it couldn't scan that area.

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question