stevekay 0 Posted August 13, 2020 Share Posted August 13, 2020 I have multiple Windows 10 clients who are seeing 100% CPU utilization and gigabytes worth of log files being written every day to the escan folder. They are all running ESET Endpoint Antivirus 7.3.2039.0. Log all objects is disabled in the startup scan, the software has been removed and reinstalled but the excessive logging continues. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 13, 2020 Administrators Share Posted August 13, 2020 The escan folder contains on-demand scanner logs. Couldn't it be that you have an on-demand scan scheduled to run too frequently and have logging of all objects enabled in the on-demand scanner profile that is used? You can delete the content of the escan folder or delete the logs via gui. Link to comment Share on other sites More sharing options...
stevekay 0 Posted August 13, 2020 Author Share Posted August 13, 2020 I have checked the on-demand, idle-state, and startup scan settings and all three have log all objects disabled. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 13, 2020 Administrators Share Posted August 13, 2020 Please collect logs with ESET Log Collector from the machine and upload the generated archive here. Link to comment Share on other sites More sharing options...
stevekay 0 Posted August 16, 2020 Author Share Posted August 16, 2020 Attached. eea_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 16, 2020 Administrators Share Posted August 16, 2020 Please collect logs again but with these artifacts selected: Also make sure to disable logging of blocked operations in the advanced HIPS setup: Link to comment Share on other sites More sharing options...
stevekay 0 Posted August 17, 2020 Author Share Posted August 17, 2020 I made the change to not log all blocked operations. Adding the additional artifacts to the log collector caused the file size to grow to 200 MB so I can't upload it here. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 17, 2020 Administrators Share Posted August 17, 2020 You can upload it to wetransfer.com for instance and drop me a personal message with a download link. Link to comment Share on other sites More sharing options...
stevekay 0 Posted August 17, 2020 Author Share Posted August 17, 2020 I tired to send you a message but it tells me you cannot receive messages. Here's the link to download it: https://carecaminnovations-my.sharepoint.com/:u:/g/personal/steve_kay_newoceanhealth_com/ETud_PPQ1kNDsIUmlwHmtrYBYUu_ubpFa2_rQIgiplFzIg?e=UObDz0 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 17, 2020 Administrators Share Posted August 17, 2020 You have enabled the Idle-state scanner in the advanced setup as well as logging of all objects scanned by the idle-state scanner. You can delete the content of the escan folder or on-demand scanner logs via the gui. Link to comment Share on other sites More sharing options...
stevekay 0 Posted August 17, 2020 Author Share Posted August 17, 2020 So if I have idle-state scanning enabled but don't have logging enabled, then is there still a record of the scans somewhere? For compliance purposes I need to be able to show scan results. It's also only occurring on two machines, and during times when the machines are actively being used (i.e. not idle). Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 17, 2020 Administrators Share Posted August 17, 2020 You have this option in the idle-state scanner setup enabled: Idle-state scanner logging can be enabled here: Link to comment Share on other sites More sharing options...
stevekay 0 Posted August 17, 2020 Author Share Posted August 17, 2020 Log all objects has been disabled everywhere so I'll let you know if we still have issues. Thanks. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 17, 2020 Administrators Share Posted August 17, 2020 It's enabled as can be seen in your configuration xml: <NODE NAME="LogAllEnable" TYPE="number" VALUE="1" /> It appears that it's applied via an ESMC policy. Link to comment Share on other sites More sharing options...
Recommended Posts