Excessive logging and CPU usage

[stevekay 0]

I have multiple Windows 10 clients who are seeing 100% CPU utilization and gigabytes worth of log files being written every day to the escan folder. They are all running ESET Endpoint Antivirus 7.3.2039.0. Log all objects is disabled in the startup scan, the software has been removed and reinstalled but the excessive logging continues.

[Marcos 5,070]

The escan folder contains on-demand scanner logs. Couldn't it be that you have an on-demand scan scheduled to run too frequently and have logging of all objects enabled in the on-demand scanner profile that is used?

You can delete the content of the escan folder or delete the logs via gui.

[stevekay 0]

I have checked the on-demand, idle-state, and startup scan settings and all three have log all objects disabled.

[Marcos 5,070]

Please collect logs with ESET Log Collector from the machine and upload the generated archive here.

[stevekay 0]

Attached.

eea_logs.zip

[Marcos 5,070]

Please collect logs again but with these artifacts selected:

Also make sure to disable logging of blocked operations in the advanced HIPS setup:

[stevekay 0]

I made the change to not log all blocked operations. Adding the additional artifacts to the log collector caused the file size to grow to 200 MB so I can't upload it here.

[Marcos 5,070]

You can upload it to wetransfer.com for instance and drop me a personal message with a download link.

[stevekay 0]

I tired to send you a message but it tells me you cannot receive messages. Here's the link to download it:

https://carecaminnovations-my.sharepoint.com/:u:/g/personal/steve_kay_newoceanhealth_com/ETud_PPQ1kNDsIUmlwHmtrYBYUu_ubpFa2_rQIgiplFzIg?e=UObDz0

 

 

[Marcos 5,070]

You have enabled the Idle-state scanner in the advanced setup as well as logging of all objects scanned by the idle-state scanner. You can delete the content of the escan folder or on-demand scanner logs via the gui.

[stevekay 0]

So if I have idle-state scanning enabled but don't have logging enabled, then is there still a record of the scans somewhere? For compliance purposes I need to be able to show scan results.

It's also only occurring on two machines, and during times when the machines are actively being used (i.e. not idle).

[Marcos 5,070]

You have this option in the idle-state scanner setup enabled:

Idle-state scanner logging can be enabled here:

[stevekay 0]

Log all objects has been disabled everywhere so I'll let you know if we still have issues.

Thanks.

[Marcos 5,070]

It's enabled as can be seen in your configuration xml:

        <NODE NAME="LogAllEnable" TYPE="number" VALUE="1" />

It appears that it's applied via an ESMC policy.