eScan log files, Endpoint Security 7.2.2055, and W10 1809 - 1903 upgrade

[John.From.VT 0]

On Friday we test upgraded a few PCs from 1809 to 1903. These PCs have had EES 7.2.2055 installed for about 2 months.

Since Friday, the .dat files in C:\ProgramData\ESET\ESET Security\Logs\eScan on only a couple have ballooned from being 2KB-2MB in size to anywhere from 2KB-77GB in size.

There's been no changes to ESET policies and the same policy is in use on all machines using 1809 or 1903.

From other forum postings regarding similar log issues -
Real-time file system protection > Threatsense > Log all objects is OFF. It is also off under Malware scans > Threatsense > Log all objects. Tools > Log files > Minimum logging verbosity is informative and we are deleting logs automatically that are older than 90 days.

Outside of trying a complete uninstall/reinstall, are there any other suggestions or thoughts?

[itman 1,659]

Do you have Idle-State scanning enabled?

[John.From.VT 0]

2 minutes ago, itman said:

Do you have Idle-State scanning enabled?

Yes, is there some known issues with the idle-state scanner? 

[itman 1,659]

4 minutes ago, John.From.VT said:

Yes, is there some known issues with the idle-state scanner? 

Basically Idle-State scanning is continuous scanning. Granted it only runs when the device is idle. However when one scan ends, another starts immediately as I understand it: https://help.eset.com/ees/7/en-US/idh_config_idle_scan.html . Eset documentation is silent on this subject but this is how I inferred it works.

In contrast a scheduled scan say set once a week runs just once during that weekly period. Therefore, I assume Idle-Time scanning is going to create a lot more log activity.

[John.From.VT 0]

1 minute ago, itman said:

Basically Idle-State scanning is continuous scanning. Granted it only runs when the device is idle. However when one scan ends, another starts immediately as I understand it: https://help.eset.com/ees/7/en-US/idh_config_idle_scan.html . Eset documentation is silent on this subject but this is how I inferred it works.

In contrast a scheduled scan say set once a week runs just once during that weekly period. Therefore, I assume Idle-Time scanning is going to create a lot more log activity.

I will throw the couple of computers with the large log files into a new policy where idle state scanning is disabled, see what happens, and report back. Thanks for the idea!

[itman 1,659]

Also verify that only one Eset scan is running at an given time. There could be a bug and multiple scans are triggering and running at the same time.

[John.From.VT 0]

Hmm. On the subject of logs, every idle-state scanning log is about a mile long and has issues in the C:\Windows.old directory (from the OS upgrade). I tried to export one of the logs to see how many lines of errors it has and the XML export ended up being 550MB. This is probably the issue.

One line item from the log:
C:\Windows.old\ProgramData\Microsoft\Windows\Containers\BaseImages\d8e0d7f1-c4b1-4fcd-a8cf-3900f85d9c2b\Files\Documents and Settings\All Users\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\Users\All Users\Application Data\Application Data\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\ProgramData\Application Data\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\ProgramData\Application Data\Microsoft\Windows\Containers\BaseImages\19444ac6-99e9-4afc-84fc-efb454400ffb\BaseLayer\Files\Windows\System32\LockScreenContent.dll - unable to open [4]
 

[itman 1,659]

28 minutes ago, John.From.VT said:

On the subject of logs, every idle-state scanning log is about a mile long and has issues in the C:\Windows.old directory (from the OS upgrade).

I was thinking about that directory also since its a backup of prior OS version and is huge. You can always delete it if your upgrade is working trouble free. I believe Win will auto delete it after 10 days or so.

[John.From.VT 0]

So I disabled idle-state scanning and decided to also exclude the C:\Windows.old directory from scanning. Doing this stopped the creation of multi-GB log files throughout the day. The only logs created from the scheduled scans or external device scans are much more reasonably sized.