NOD32 changing last modified date

Discussion in 'ESET NOD32 Antivirus' started by jprudente, Oct 17, 2011.

Thread Status:
Not open for further replies.
  1. jprudente

    jprudente Registered Member

    Joined:
    Sep 11, 2008
    Posts:
    29
    Hi All,

    I've run into a problem where group policy on Windows Vista is not deleting profiles despite being set to do so. After investigation, I've found the reason is that NTUSER.DAT as well as related NTUSER.DAT files within each user profile folder are having their last modified date changed by NOD32 on startup.

    I've used Process Monitor to confirm this is the case, and it clearly shows ekrn.exe accessing these files. My guess is it's loading each user's HKU registry hive to scan for viruses, etc., but I do not understand why the last modified date is changed.

    We are running NOD32 4.2.67, and this behavior only occurs on Vista, not on Windows 7.

    I would appreciate some feedback as to why this is the case and what to do about it. We have lab PCs with hundreds of profiles that cannot be deleted due to this bug.

    Thank you,
    James
     
  2. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Can you please confirm that the Preserve Last Access Timestamp option is enabled in your ESET NOD32 Antivirus v4.2.67 deployment on the clients running Microsoft Windows Vista? Thank you.

    Regards,

    Aryeh Goretsky
     
  3. jprudente

    jprudente Registered Member

    Joined:
    Sep 11, 2008
    Posts:
    29
    Yes, it is enabled. And we run the same configuration on all of our clients regardless of operating system.

    Thanks,
    James
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you mean that excluding files with the DAT extention in the real-time protection setup make a difference? Real-time protection scans files that were previously accessed by the oper. system or another application so file scans should not cause problems with timestamps.
     
  5. jprudente

    jprudente Registered Member

    Joined:
    Sep 11, 2008
    Posts:
    29
    At this point I have not changed any settings from my normal configuration, and I don't think I want to exclude DAT files from scanning.

    I used Process Monitor specifically to watch what application was accessing the NTUSER.DAT files, and confirmed that NOD32 is doing so. The last modified timestamp is changing at the time NOD32 is accessing these files.

    James
     
  6. jprudente

    jprudente Registered Member

    Joined:
    Sep 11, 2008
    Posts:
    29
    Marcos - What do I have to do to make some headway in resolving this problem? I have double-checked my configuration on a test PC and cannot find anywhere that "Preserve Last Timestamp" is not set to "Yes."

    I have used Process Monitor to see what happens on a reboot, and confirmed that ekrn.exe is the process that's changing the date on these files. Nothing else other than ekrn.exe and svchost.exe accesses NTUSER.DAT, and svchost.exe is clearly telling the file system NOT to change the date. I can show this all with Process Monitor captures.

    I opened a support ticket (#764593) on the 18th and have not heard anything back.

    This is creating a rather substantial problem on our Vista PCs in labs...We have tens of gigs of profiles that can't be cleaned up as a result.

    I'd appreciate some help.

    Thanks,
    James
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I've tried running regedit or accessing ntuser.dat but in either case the file was not accessed by ekrn. Could you please upload the Procmon log somewhere and PM me the download link so that I can check it out?
     
  8. jprudente

    jprudente Registered Member

    Joined:
    Sep 11, 2008
    Posts:
    29
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi James,
    thank you for sharing this information, really appreciated :)

    Marcos
     
Thread Status:
Not open for further replies.