John.From.VT 0 Posted January 27, 2020 Posted January 27, 2020 On Friday we test upgraded a few PCs from 1809 to 1903. These PCs have had EES 7.2.2055 installed for about 2 months. Since Friday, the .dat files in C:\ProgramData\ESET\ESET Security\Logs\eScan on only a couple have ballooned from being 2KB-2MB in size to anywhere from 2KB-77GB in size. There's been no changes to ESET policies and the same policy is in use on all machines using 1809 or 1903. From other forum postings regarding similar log issues - Real-time file system protection > Threatsense > Log all objects is OFF. It is also off under Malware scans > Threatsense > Log all objects. Tools > Log files > Minimum logging verbosity is informative and we are deleting logs automatically that are older than 90 days. Outside of trying a complete uninstall/reinstall, are there any other suggestions or thoughts?
John.From.VT 0 Posted January 27, 2020 Author Posted January 27, 2020 2 minutes ago, itman said: Do you have Idle-State scanning enabled? Yes, is there some known issues with the idle-state scanner?
itman 1,807 Posted January 27, 2020 Posted January 27, 2020 4 minutes ago, John.From.VT said: Yes, is there some known issues with the idle-state scanner? Basically Idle-State scanning is continuous scanning. Granted it only runs when the device is idle. However when one scan ends, another starts immediately as I understand it: https://help.eset.com/ees/7/en-US/idh_config_idle_scan.html . Eset documentation is silent on this subject but this is how I inferred it works. In contrast a scheduled scan say set once a week runs just once during that weekly period. Therefore, I assume Idle-Time scanning is going to create a lot more log activity.
John.From.VT 0 Posted January 27, 2020 Author Posted January 27, 2020 1 minute ago, itman said: Basically Idle-State scanning is continuous scanning. Granted it only runs when the device is idle. However when one scan ends, another starts immediately as I understand it: https://help.eset.com/ees/7/en-US/idh_config_idle_scan.html . Eset documentation is silent on this subject but this is how I inferred it works. In contrast a scheduled scan say set once a week runs just once during that weekly period. Therefore, I assume Idle-Time scanning is going to create a lot more log activity. I will throw the couple of computers with the large log files into a new policy where idle state scanning is disabled, see what happens, and report back. Thanks for the idea!
itman 1,807 Posted January 27, 2020 Posted January 27, 2020 Also verify that only one Eset scan is running at an given time. There could be a bug and multiple scans are triggering and running at the same time.
John.From.VT 0 Posted January 27, 2020 Author Posted January 27, 2020 Hmm. On the subject of logs, every idle-state scanning log is about a mile long and has issues in the C:\Windows.old directory (from the OS upgrade). I tried to export one of the logs to see how many lines of errors it has and the XML export ended up being 550MB. This is probably the issue. One line item from the log:C:\Windows.old\ProgramData\Microsoft\Windows\Containers\BaseImages\d8e0d7f1-c4b1-4fcd-a8cf-3900f85d9c2b\Files\Documents and Settings\All Users\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\Users\All Users\Application Data\Application Data\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\ProgramData\Application Data\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\ProgramData\Application Data\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\Windows\System32\LockScreenContent.dll - unable to open [4]
itman 1,807 Posted January 27, 2020 Posted January 27, 2020 28 minutes ago, John.From.VT said: On the subject of logs, every idle-state scanning log is about a mile long and has issues in the C:\Windows.old directory (from the OS upgrade). I was thinking about that directory also since its a backup of prior OS version and is huge. You can always delete it if your upgrade is working trouble free. I believe Win will auto delete it after 10 days or so.
John.From.VT 0 Posted January 29, 2020 Author Posted January 29, 2020 So I disabled idle-state scanning and decided to also exclude the C:\Windows.old directory from scanning. Doing this stopped the creation of multi-GB log files throughout the day. The only logs created from the scheduled scans or external device scans are much more reasonably sized.
Recommended Posts