stevekay 0 Posted August 13, 2020 Posted August 13, 2020 I have multiple Windows 10 clients who are seeing 100% CPU utilization and gigabytes worth of log files being written every day to the escan folder. They are all running ESET Endpoint Antivirus 7.3.2039.0. Log all objects is disabled in the startup scan, the software has been removed and reinstalled but the excessive logging continues.
Administrators Marcos 5,466 Posted August 13, 2020 Administrators Posted August 13, 2020 The escan folder contains on-demand scanner logs. Couldn't it be that you have an on-demand scan scheduled to run too frequently and have logging of all objects enabled in the on-demand scanner profile that is used? You can delete the content of the escan folder or delete the logs via gui.
stevekay 0 Posted August 13, 2020 Author Posted August 13, 2020 I have checked the on-demand, idle-state, and startup scan settings and all three have log all objects disabled.
Administrators Marcos 5,466 Posted August 13, 2020 Administrators Posted August 13, 2020 Please collect logs with ESET Log Collector from the machine and upload the generated archive here.
Administrators Marcos 5,466 Posted August 16, 2020 Administrators Posted August 16, 2020 Please collect logs again but with these artifacts selected: Also make sure to disable logging of blocked operations in the advanced HIPS setup:
stevekay 0 Posted August 17, 2020 Author Posted August 17, 2020 I made the change to not log all blocked operations. Adding the additional artifacts to the log collector caused the file size to grow to 200 MB so I can't upload it here.
Administrators Marcos 5,466 Posted August 17, 2020 Administrators Posted August 17, 2020 You can upload it to wetransfer.com for instance and drop me a personal message with a download link.
stevekay 0 Posted August 17, 2020 Author Posted August 17, 2020 I tired to send you a message but it tells me you cannot receive messages. Here's the link to download it: https://carecaminnovations-my.sharepoint.com/:u:/g/personal/steve_kay_newoceanhealth_com/ETud_PPQ1kNDsIUmlwHmtrYBYUu_ubpFa2_rQIgiplFzIg?e=UObDz0
Administrators Marcos 5,466 Posted August 17, 2020 Administrators Posted August 17, 2020 You have enabled the Idle-state scanner in the advanced setup as well as logging of all objects scanned by the idle-state scanner. You can delete the content of the escan folder or on-demand scanner logs via the gui.
stevekay 0 Posted August 17, 2020 Author Posted August 17, 2020 So if I have idle-state scanning enabled but don't have logging enabled, then is there still a record of the scans somewhere? For compliance purposes I need to be able to show scan results. It's also only occurring on two machines, and during times when the machines are actively being used (i.e. not idle).
Administrators Marcos 5,466 Posted August 17, 2020 Administrators Posted August 17, 2020 You have this option in the idle-state scanner setup enabled: Idle-state scanner logging can be enabled here:
stevekay 0 Posted August 17, 2020 Author Posted August 17, 2020 Log all objects has been disabled everywhere so I'll let you know if we still have issues. Thanks.
Administrators Marcos 5,466 Posted August 17, 2020 Administrators Posted August 17, 2020 It's enabled as can be seen in your configuration xml: <NODE NAME="LogAllEnable" TYPE="number" VALUE="1" /> It appears that it's applied via an ESMC policy.
Recommended Posts