Large htt*.tmp files in c:\windows\temp on Win7

Discussion in 'ESET NOD32 Antivirus' started by chrisf, Dec 14, 2009.

Thread Status:
Not open for further replies.
  1. chrisf

    chrisf Registered Member

    Joined:
    Jul 13, 2007
    Posts:
    19
    I have a system running Windows 7 x64 and it is creating large htt*.tmp files in c:\windows\temp. I believe this is related to Axis Camera Station version 3 client viewing video from a server. I created exclusions which hopefully will help, but has anyone had this issue? Is there a resolution other than excluding the server? I have build 4.0.467

    Thanks
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest creating 2 logs using Wireshark with HTTP communication captured; one with HTTP checking enabled and the other with HTTP checking disabled when the temp files are not created. Convey the logs to ESET as the developers will need to analyse the HTTP communication of your web cam.
     
  3. emgeton35

    emgeton35 Registered Member

    Joined:
    Apr 4, 2010
    Posts:
    1
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's not a problem in the true sense of the word, simply http streams do not end and thus the scanner cannot know when to stop writing to temp files and start scanning them. For this reason, it's strongly recommended to exclude the given address / application from protocol filtering.
     
  5. Leschy

    Leschy Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    55
    Location:
    Munich
    try an update to version 4.2.35.0. I had the same problem while watching videos on youtube e.g.
     
  6. DAOWAce

    DAOWAce Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    10
    Why is this not fixed?

    Another thread: https://www.wilderssecurity.com/showthread.php?t=253904

    I have a small system partition and ESS keeps writing ridiculously large files when viewing videos with Firefox. This leads to the "low disk space" notification appearing every time I stream media. EVERY SINGLE TIME. I have 2GB free. No program should ever write erroneous data for no apparent reason.

    It was reported well over half a year ago, why is it not fixed?


    And for the record, I'm using ESS.

    Edit: Look at the view count of this thread. Clearly there's been tons of people from google looking into this issue. I'm one of them.
     
    Last edited: Jun 17, 2010
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There's nothing to fix unless the temporary files are not removed after an application downloading streamed data is closed. We are aware of one problem which causes the temp files to remain on the disk if the computer hibernates during the download, this will be fixed in the next build. If you don't want to have streamed files created at all, exclude the source address with the stream from content filtering.
     
  8. DAOWAce

    DAOWAce Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    10
    You mean exclude my entire Firefox connection and impose a security risk upon myself?

    I'm not manually excluding whatever address I'm streaming from because that's well over 25 sites, some streaming third party content I can only guess the address of (unless I want to hassle myself and use network connection software to expose the addresses then find out which is correct).

    But maybe we have a confusion? I'm talking about simple web videos like 6 minute game reviews, not active streaming of something that doesn't end until I close the connection. The longer the video (E3 press conferences most recently), the bigger the files created by ESS, EVEN WITH IT DISABLED. That is a clear flaw in software design. If I disable it, it shouldn't interfere with anything I do. I fail to see why it nags me about it being disabled if it still tries to mess with things.

    ESET's software may be one of the best anti-virus software out there, but there's clearly poor design choices in the program. The feedback thread seems quite useless as I see things suggested from 2 years ago that I also want which don't exist in the program.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Are you positive that web protection was actually disabled before you started downloading the video? In such case, htt*.tmp files should not be created in the temp. folder at all.
     
  10. DAOWAce

    DAOWAce Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    10
    If I recall correctly, it was disabled before I loaded the website with the video. I'm going to have to test again tomorrow with Firefox closed before I disable ESS.

    Edit: Alright, tested things out. Disabled realtime and antivirus/spyware protection AND also the firewall then loaded Firefox and went to a website to watch a video.

    Same result. Nearly 2GB of HTT*** files created even though ESS was disabled before I even loaded Firefox. Both Firewall and realtime protection. Both nagging me about being disabled each time I disabled them, being forced to click the popup's X or risk needlessly opening the window when trying to disable the other... this is really not a hassle free program. There should be an option to turn that notification off.
     
    Last edited: Jun 20, 2010
  11. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    Are you using latest build of ESS(i.e. 4.2.40) ?
     
  12. DAOWAce

    DAOWAce Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    10
    Yeah, 64bit version. Funny that when I went to check the version that notification popped up saying ESS needs my attention. Sure is buggy, happens when updating too.

    New discovery: ESS also creates those HTT*.tmp files when recording video with FRAPS. That's bad.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    To check if web access protection is actually disabled, download the eicar test file from http://www.eicar.org/download/eicar_com.zip. If it's detected, web protection is actually enabled.

    Could you create a demonstration video that would illustrate the issue with htt*.tmp files created with web protection disabled?

    Also I'd strongly suggest installing this hotfix from MS which fixes problems with memory leaks as well as temporary files not removed when the computer goes to hibernation mode: http://support.microsoft.com/kb/979223
     
  14. DAOWAce

    DAOWAce Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    10
    There's a spot for improvement.

    ESS stopped me from downloading the file with the protection enabled and also with it disabled. I checked the main status window and saw everything disabled, but I didn't see anything about 'web access protection'. I check the setup tab and sure enough, there's web access protection showing enabled.

    Confused I was, so I tried testing something. I re-enabled protection and then chose the 'disable anti-virus and antispyware protection' option. Email and Web access protection were then disabled.

    Is this an oversight? I've been choosing 'disabled realtime file system protection' this entire time because it also was showing antivirus/spyware being disabled, or at least it was on the tray icon, changing both the options to 'enable'. It does this for both no matter which you select, yet you can re-enable filesystem protection without antivirus/spyware getting enabled. How that works, I've no idea. I've been assuming 'realtime filesystem protection' was on a higher level than antivirus because it was 1) Above it 2) Sounds like it's a higher priority and 3) also apparently fakely disables 'antivirus/spyware' protection, which I assumed was the same thing anyway. Now I know the bottom option is actually a completely global option which disables everything but the firewall and to disable that instead. I believe it should be the other way around.

    So anyway, I tested with web access protection actually disabled this time and no more temp files were created. However.. the free space on my drive still went down. I checked every folder on this storage drive where I moved the temp folder and I couldn't see any file or folders increasing, even with system files showing. I have no idea what the cause of that is, but it doesn't appear to be ESS anymore, so I assume.

    I hope to see this improved.
     
    Last edited: Jun 22, 2010
  15. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    Try to use the "CC Cleaner" it helps remove redundant and temporary files.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    In order to disable all protection modules, you can right-click the EAV tray icon and select "Disable antivirus and antispyware protection".

    In order to disable real-time protection only, you can right-click the EAV tray icon and select "Disable antivirus and antispyware protection".

    In order to disable web protection or another protection module, open the main EAV panel, navigate to Setup -> Antivirus and antispyware and click Disable below the module you want to disable.
     
  17. DAOWAce

    DAOWAce Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    10
    Always do. Doesn't remove the HTT*.tmp files though since they're in use by ESS.


    @Marcos: It's rather confusing. I believe something should be changed to provide more clarity to the user.


    Anyway, I've uninstalled ESS for now. Just have to deal with 2 new issues due to uninstalling ESS, yay me.

    Thread: https://www.wilderssecurity.com/showthread.php?p=1700066
     
  18. Flash_

    Flash_ Registered Member

    Joined:
    Nov 3, 2010
    Posts:
    3
    Is there any definite fix for this?

    One of the 20 machines I've licenced for Nod32 was running low on disk space and on checking, I found 236GB (yes, Gigs!) of HTT*.TMP files, each several gig in size, in \windows\temp

    This Win7 x64 machine is left on 24/7 so no regular startup cleaning of that dir is done (if that still happens on start) but if Nod32 is the cause of these files, and it looks very much like it is, it certainly is NOT deleting them automatically when the spawning application closes.

    Yes, they're easily removed once you know about it, but I have 20 machines that I'm now thinking may have the same problem is going to be happening on those to some degree and would like to know if a solution is available that can be applied from the central management console. (While keeping Threatsense)

    Thanks
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you already installed this WFP hotfix rollup from MS? I assume the computers in question are not downloading streamed video, are they?
     
  20. Flash_

    Flash_ Registered Member

    Joined:
    Nov 3, 2010
    Posts:
    3
    I've not, no - trying now. Thanks for the quick response.
     
  21. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    Can someone confirm or deny this update has solved this problem for them?
     
  22. Flash_

    Flash_ Registered Member

    Joined:
    Nov 3, 2010
    Posts:
    3
    Yes, doing as suggested has indeed stopped the creation of these files. Just checked after doing so and no more are there.
     
Thread Status:
Not open for further replies.