100% C: usage when SCEP is running a full scan

Hi,

I currently have an issue where a 2012 Server is filling its C: drive while running full scans.

Files are created in C:\Windows\Temp with the prefix TMP00000 and no extension. These seem to grow in size until they are filling the remaining free space (~40GB) and then once it hits ~100MB free it deletes the file.

Procmon tells me that the MsMpEng.exe is creating and writing to this file.

Can anyone tell me why it is creating these files and why it is trying to use all remaining free space? I cant see any configuration to allow me to change from C:\Windows\Temp (I can only assume its using the %temp% variable).

I notice that while the file is filling up and eating free space, the Item listed on the SCEP console is still changing so it doesn't appear to be getting stuck on a single file. I also note that there are no entries listed in the Event viewer either.

Thanks

Alex

March 29th, 2015 9:55pm

Hi Alex,

Did the MsMpEng.exe find any anti-virus? Does the issue only occur when perform a full s

Free Windows Admin Tool Kit Click here and download it now
April 1st, 2015 9:57pm

Hi Alex,

Did the MsMpEng.exe find any anti-virus? Does the issue only occur when perform a full scan? Please capture a screenshot of the SCEP version.

April 2nd, 2015 1:55am

Hi Alex,

As a guess, it would be that were decompressing zips or cabs. Could you please check the Procmon.exe that before the MsMpEng.exe is writing to this file, is it accessing the zips or cabs?

Thanks.

Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2015 10:55pm

Hi Alex,

As a guess, it would be that were decompressing zips or cabs. Could you please check the Procmon.exe that before the MsMpEng.exe is writing to this file, is it accessing the zips or cabs?

Archives are extracted to disk during a scan.

Th

April 3rd, 2015 2:54am

Hi Aaron,

Forums wont let me post a screenshot because i'm not verified, yet it wont email me to verify me.

Details are: Antimalware version: 4.7.209.0

Engine Version: 1.1.11502.0

Antivirus Def: 1.195.2247.0

Antispyware Def: 1.195.2247.0


Thanks,

Alex

Free Windows Admin Tool Kit Click here and download it now
April 7th, 2015 6:41pm

Hi Aaron,

It looks like this may well be the case. I haven't seen it run a huge on yet, but monitoring procmon shows that it is infact MsMpEng.exe writing the temp files to C:\Windows\Temp. Is there a way to modify the location used for scanning or does it default to the %temp% location when run as the System account?

Thanks,

Alex

April 7th, 2015 6:45pm

Hi Alex,

Maybe you can use one of the following workarounds:

1. Disable Scan archive files.

2. Limit the archive size and depth. This can be only configured via GPO (ADMX).

3. Change the temp folder location. http://blogs.msdn.com/b/astebner/archive/2006/01/15/513134.aspx

Thanks.

Free Windows Admin Tool Kit Click here and download it now
April 8th, 2015 5:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics