Installed product: ESET Endpoint Security
Product version: 8.1.2037.2
Operating system: Windows 10 (21H1) (OS Build 19043.1320)
I'm having an issue where scans never complete on workstations with Docker Engine for Windows installed (the underlying component of Docker Desktop). From what I can see, ESET is following junction (soft link) directories and thus ends up scanning the same files multiple times.
From https://docs.microsoft.com/en-us/windows/win32/fileio/hard-links-and-junctions:
Junctions are what Docker uses to implement a layered filesystem. Here's an example of a junction within a docker layer for the official Microsoft image "mcr.microsoft.com/windows/servercore:ltsc2019":
C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files>dir /a
Volume in drive C is OS
Volume Serial Number is 2E03-5E67
Directory of C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files
2021-11-03 04:33 PM <DIR> .
2021-11-03 04:33 PM <DIR> ..
2021-11-03 04:30 PM <DIR> Boot
2021-11-03 04:08 PM 408,826 bootmgr
2018-09-14 11:09 PM (1) BOOTNXT
2020-05-06 09:10 PM <JUNCTION> Documents and Settings [C:\Users]
2020-05-06 08:48 PM (5,510) License.txt
2021-11-03 11:32 PM <DIR> Program Files
2021-11-03 04:30 PM <DIR> Program Files (x86)
2021-11-03 11:32 PM <DIR> ProgramData
2021-11-03 04:33 PM <DIR> Users
2021-11-03 04:33 PM <DIR> Windows
3 File(s) 414,337 bytes
9 Dir(s) 658,207,408,128 bytes free
The problem here is that ESET scans the entire "C:\Users" directory twice. Once as it encounters "C:\Users" directly and a second time as it encounters "C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files\Document and Settings". And if there are multiple layers with a similar junction, then it potentially scans the same directory again and again for each layer that has an junction (soft link) to it.
How do we stop ESET from scanning the same directory over and over, when once is all that is required? For instance, is there a way to configure ESET to not follow junctions (soft links)?