***URGENT***: new NOD32 4.2BE clts scanning ALL past Outlook emails

Discussion in 'ESET Endpoint Products' started by Reedmikel, Feb 2, 2012.

Thread Status:
Not open for further replies.
  1. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Hi All,

    I'm in need of a quick reply. I just installed NOD32 4.2BE last night at a client with 15 PCs and an Exchange 2003 SBS. Apparently as each user logs in this morning, NOD32 starts scanning ALL their Outlook emails, going back to day 1! Yikes - that is killing the Exchange server and network :eek:

    This results in the typical "Outlook is trying to retrieve data from the Microsoft Exchange Server..." balloon message on all PCs.

    What policy setting can I tweak to stop this insanity? I'm sure I could disable the plug-in altogether, but I'd rather change some setting to delay scanning of historical emails to after hours, or at a much slower pace.

    Thanks!!
    -Mike
     
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    That behavior is by design and only happens once the first time the anti-virus software is installed on a system for a new user. I don't know of a way to stop it short of disabling the plugin, but it usually settles down after the first day. If you are running AV software with Exchange support directly on the server, then you might as well disable the Outlook integration since it is redundant. If you aren't running your clients in cached mode then I would highly recommend you do so as it will reduce the impact of activities like this on the server.
     
  3. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Wow, that seems like a poor design IMO. I can only imagine what would happen with a larger customer. So basically my customer is unable to work for a day - they are not going to be happy. And I can't say I blame them.

    I guess others are simply disabling the Outlook integration? Otherwise, how do they handle say 50 or 100 users after initial NOD32 deployment, let alone more than that?

    My suggestion to ESET: add some new settings to limit the impact, such as:
    - a "priority" setting that we could set to LOW so that scans of preexisting emails are done at a much slower pace

    - a "do not scan emails older than?" setting. I might set it initially to 6 months so that several years worth of emails are skipped. I could then modify the settings days later and change it to 12 months. Days later take it to 18 mos etc.

    - a "delay initial scan of emails until: hh:mm". That way users could be instructed to leave Outlook open at end of their day and let the Outlook plug-in start scanning after hours". (if only this oddity were documented, I would have logged in on each PC and started Outlook late last night).

    - maybe default to NOT scanning preexisting emails, unless done as a scheduled task. Guess they'd have to add a new email scan task?

    I'm sure the developers could think of even better approaches, but something should really be done to address this. The current design makes my first day of supporting NOD32 a very crappy day :mad:
     
  4. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I have Nod32 AV 5.0.95.0 not the BE so what I have for you may not apply.

    Under advanced setup

    > Web and email
    > Email client Protection
    > Email clients
    > Turn off ALL options by unticking boxes

    If this works during day then some dark quiet nite come in and turn on the scan options you want. I just scan incoming I don't rescan after and update.

    Good luck!
     
  5. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Again, if you are running in cached mode this will not be a issue because all the IOPS hit the local disk. Microsoft strongly recommends you configure your clients that way.

    Our initial rollout was while our outlook clients were still running in online mode and our similar concerns made us stagger the deployment by department. Users with large mailboxes to scan saw some degraded performance, but no one was absolutely locked out of using their Outlook. If you have an appropriate amount of ram allocated to Exchange then most of the normal user activity should be serviced out of that cache while the scanning grinds up spare IOPs on the disk.
     
  6. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Outlook is set for cached mode on all PCs. ESET support suggested disabling by setting "Integrate into MS Outlook" to NO, as well as setting "Enable resolution of Microsoft Outlook synchronization issues" to 51. I have no clue what setting the latter to 51 will do. I did not see any messages listed under the client's Sync Issues folders in Outlook. But, they are all seeing the balloon message "Outlook it trying to retrieve...". Is that symptom somehow addressed by a setting of 51?

    Also, in addition to suggesting to disable Outlook integration, ESET support then stated:
    this disables scanning at Outlook client level - but does not affect network level scanning.
    No idea what they are getting at with that statement...

    As if things aren't confusing enough, I was asking ESET to explain the difference between the Email Filter, Scanner (Email filter - Outlook) and Email Client policy sections. But the person was not sure what the differences were, and most importantly if the first two sections were applicable/enforced when Outlook integration is set to NO?

    A lot of the problems stem from the fact that the vast majority of policy settings have no explanation when viewed in our ERAC's Policy Editor, nor does the ERAC user guide describe them. I have noticed that even ESET support folks sometimes do not recall precisely what some settings do. So it sure would benefit everybody to get this stuff documented!

    Totally frustrated...
     
    Last edited: Feb 2, 2012
  7. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    I think the problem is going to be that the default NOD32 policy settings do not work well on Outlook/Exchange clients that have very large mailboxes (some as much as 7GB). Plus, ESET told me that Outlook users running with cached Exchange accounts often need to have the policy setting "Enable resolution of Microsoft Outlook synchronization issues" changed from 0 to 51. What amazed me is that ESET claims running in cached mode is NOT the norm, and that they designed the default settings for non-cached. All of my clients run in cached mode, and I think we are pretty typical.
     
  8. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Newbies - beware! Be very careful if you are deploying NOD32 to a business environment where there is a sizable Exchange data store! With only 15 users, NOD32 crippled my client's computers and network yesterday. The default policy settings just do not play well in an Exchange environment where mailboxes are sizable. The largest users had 3 to 7GB mailboxes. That just sucks the life out of each computer as the Outlook client scans all the freakin past emails. And, as best I can surmise, it also bloats the Exchange store, as it writes header info to every email!

    ESET has some homework to do IMO. Their first project should be to GET THE POLICY SETTINGS DOCUMENTED!!! It was ridiculous for ESET support person (Tom) to tell me yesterday "well, if we documented the settings then users would mess up their policies and end up calling us". This is plain stupid! This is a highly technical product being sold to IT admins, that are highly technical. WE NEED TO KNOW EXACTLY WHAT EVERY POLICY SETTING DOES. To be clear: I am asking for policy settings to be documented in the ERAC user guide as well as in the ERAC software itself. Admins use ERAC to view and modify policies, so there needs to be good documentation right in ERAC.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Upon the first start of Outlook after installation of EAV/ESS, Outlook adds a special property to each of the emails in Inbox so that they are not scanned. How many emails do you have in Inbox? (hundreds or thousands) Do you have another plugin installed in Outlook that might trigger scanning of messages in other that the Inbox folder on read? Does disabling scanning of read emails make a difference?
     
  10. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    The customer has 15 users, with the owner having a 7GB mailbox. I'm looking at one of the larger user's mailboxes right now: it has 32,643 messages in Inbox, many of which likely have attachments. That Inbox size represents about 3.5GB of his total mailbox size (4.9GB).

    Total of Exchange store is about 35GB.

    Is just the Outlook INBOX scanned on newly deployed NOD32 machines? How about subfolders under Inbox? How about other mail folders that are at same level as Inbox?

    No, there are no other AVAS Outlook add-ins or spam filters etc. Prior AV was VIPRE Enterprise, which was completely removed prior to installing NOD32. I checked running processes, and there's no sign of VIPRE.

    My suggestion to ESET would be to learn from this incident and possibly modify the default policy settings to not scan preexisting emails. Also, warning new users of this potential issue, and maybe suggesting that NOD32 deployment be carefully scheduled so that Outlook can be run during non-business hours on all machines.

    Lastly, PLEASE get the policy settings documented. I will not give up on this point, as it is just makes ZERO sense not to provide us technical admins with the info we need to INTELLIGENTLY create our policies.
     
  11. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Marcos - one other comment: yesterday when I spoke with Tom (ESET Prem support for Labtech users), he thought that all this scanning of Outlook emails would be confined to the local machine *if* caching (.ost file) was enabled on the user's Exchange account. So he was at a loss to explain why there would be lots of network traffic clogging up customer's network...

    Since NOD32 does mark/flag each email's header, doesn't that require Outlook to sync this data back to the Exchange server? If so, that explains the network congestion, which was incredibly disruptive to the customer.
     
    Last edited: Feb 3, 2012
  12. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Marcos - please see my prior two posts. Thks!
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    After installation of EAV/ESS, Outlook goes through all messages in Inbox and, for the purpose of optimization and avoiding scanning of existing messages, adds a special property to each of the message. ESET does not scan the messages at all. Of course, if you have > 32,000 messages in Inbox it may take a while to sync them with the Exchange server. I, for one, don't think that keeping such a big volume of messages in Inbox is wise. I, for one, have < 500 messages there and have automatic archiving of older messages enabled in order to prevent Inbox from growing indefinitely.
     
  14. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Interesting, so the first time Outlook starts after NOD32 has been installed, the existing messages are not scanned for viruses/malware. BUT, NOD32 does have to flag each message by writing something to it (I imagine in each item's header) in order to avoid scanning it in the future?

    How about my other questions? e.g. what about Inbox's subfolders, or any other mail folders - do mail items in these other folders have to get "marked" too?

    I wish all clients only had 10 messages in their mailboxes, but that is not reality :) Nor is 500. That is just your personal preference, right? Ask 10 IT pros and you'll get 10 different opinions as to the max # messages that should be in one's Inbox.

    So, now that ESET knows some users may have TENS of THOUSANDS of emails in their INBOX (and the resulting network chaos this can cause), maybe it would be wise to either change the default policy settings to avoid this? Or schedule it for after hours? Oh, and wouldn't it be wise to DOCUMENT THESE POLICY SETTINGS? You know I am not going to give up on this topic :) ESET has to get these policy settings documented. It's a win-win situation for all parties involved.

    Because of this deployment fiasco, I know have all email " filtering" and scanning disabled in my policy.
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It's better to mark messages and thus prevent them from being scanned than actually scan them them and bring the system to a crawl.
    If they weren't marked first, all messages would be scanned upon the first inbox change.

    Perhaps you might consider disabling the plug-in for MS Outlook and leave ESET scan received messages only.
     
  16. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    I can tell you that "marking" them, brought customer's network to a crawl for HOURS. I can only imagine if NOD32 scanned them too :)

    Why isn't this kind of information documented? Or, if it is, where do I find it?

    You still didn't answer my other question about whether ANY folders, other than Inbox, are "marked"? e.g. subfolders of Inbox
     
  17. AltairSystems

    AltairSystems Registered Member

    Joined:
    Feb 7, 2012
    Posts:
    1
    Location:
    New Zealand
    NOD32 Business Edition v 4.2.76 also crippled my client's Emails / Outlook
    And they only have 14 users

    What's more is I have a Policy setting that apples some settings - like disables email outlook integration, and, for purposes of testing to see if policy applies, "advanced mode" is enabled.

    However none of this seems to be applying, and I have to manually disable email client protection on each PC. All the client PCs are still in "standard" GUI mode when I check, so nothing seems to be applying.

    So I have a two-tier issue - not only has ESET crippled my client's business emails for the morning, I can't even fix it via Policy...
     
  18. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Maybe ESET will realize that more than one customer is being affected. They really need to rethink their default policy settings. Plus, since they don't provide any documentation on all the policy settings, things like this are just bound to happen.

    I like the NOD32 product and ERAC, but not the lack of policy docs and warnings about how email scanning/marking can cripple even small networks.
     
  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    What will satisfy the op?

    ESET has responed here with suggestions as have others.

    It is one thing to raise problems this is good but what has happened at the op's end? His system is brought to a crawl.

    How important is it to scan emails anyway? If you have a AV like Nod32 and a FW setup and safe senders id's and your HIPS is dealing with any executable attachments if they are opened I know many guys who say you don't need to scan email.

    MS Outlook does well on it's own filtering out spam.

    Turn off the whole d...n email scanning functions in your lan network all of them in all applications and beef up your host file list , turn on the RT AV scanners to max and forget the email business until Nod32 does what you want if ever.

    If not to your liking bite the bullet remove this business version and replace it with a Hardware FW device with AV imbedded. :D

    There I said it ,and I ask everybodies forgiveness in advance!
     
  20. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Escalader - do you work for ESET?

    Seriously, I am a new ESET user and installed it with ESET's default policy settings at my first client site and it CRIPPLED their network for a good part of a day :mad: And obviously I am not the only one, as AltairSystems posted here too. And when I spoke with support they told me it has happened to others too. So ESET is aware of this, yet has not chosen to change the applicable default policy setting(s), nor have they documented anything in regards to this issue.

    You seem to be saying that new users should know to disable the email "marking" of all existing messages by adjusting some policy setting. WELL, SINCE THESE BEHAVIORS ARE NOT DOCUMENTED, HOW THE HECK IS A NEW USER SUPPOSED TO KNOW THIS?

    Sorry for shouting, but I was just trying to make a point (more to ESET than you).

    FYI - one of the purposes of forums like this is for users to report their experiences (good or bad). When problems are reported, hopefully ESET learns from it and responds in a way to make future releases better. So that's what I am hoping to achieve with this thread...

    Cheers,
    -Mike
     
  21. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Hi Marcos - Can you answer my question below?

    Also, are you 100% sure that after a new install of NOD32 (v4.2 BE), that old emails are not also scanned? I saw numerous ESET alerts display on some of these computers when Outlook was running for the first time after NOD32 had been installed. The alerts seemed to indicate that something suspicious was found and being sent to ESET for analysis. That suggests to me that items were being scanned *and* marked.

     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hi Mike:

    Were you shouting? Well I never noticed my hear aids are still not installed! :D

    Yes I do work secretly for Eset o_O That is why I offered you the rip it out option and replace the whole thing with a H/W firewall with AV imbeded. :rolleyes:

    On a serious note I have zero loyality to any vendors but not being around here as long as I have you cannot be expected to know or care about that.

    You are trying to debug a vendors setup and their documentation. It won't work.

    But I hope you prove me wrong. :thumb:
     
  23. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Marcos - following up on my previous questions to you (see quote below), I noticed on my own workstation that an email that was sent to me back in April 2011 was moved by ESET to an Outlook "Infected Items" folder shortly after having installed NOD32. Why would NOD32 scan (and clean) this old email message? It appended the following to this email:

    __________ ESET NOD32 Antivirus warning, version of virus signature database 6821 (20120123) __________
    Warning, ESET NOD32 Antivirus found the following threats in the message:

    Order details.zip - Win32/TrojanDownloader.Chepvil.A trojan - deleted
    Order details.zip > ZIP > Order details.exe - Win32/TrojanDownloader.Chepvil.A trojan - was a part of the deleted object

    http://www.eset.com


    So it sure seems that NOD32 scans old emails in Outlook after NOD32 is installed. Yet I thought you said it only "marked" messages in the INBOX. Furthermore, this message was not in my INBOX, but a different mail folder. So maybe it marks (and scans) all folders? Does ERAC provide any log or history of infected items found in email scans? I'd like to find out what initiated the scan, as supposedly it should never have occurred, right?

    Thanks,
    -Mike

     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    see attachment
     

    Attached Files:

  25. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Thanks for the screen shot Escalader, which I assume is not part of ERAC. I imagine you got it from the agent GUI. Unfortunately, there is not much correlation between where settings are found in the NOD32 agent GUI vs ERAC.

    It is also not clear to me what things like Email to scan: Read email means. Does it mean emails that Outlook has flagged as "Read", or maybe it just means emails that exist at the time NOD32 is installed? Also, what folders are scanned - just Inbox or all mail folders?

    And exactly what does Accept scan results from other modules mean? Th limited explanation I found in the NOD32 agent software simply says "If this option is selected, the email protection module accepts scan results of other protection modules". Are they referring to other ESET modules, or other AV software? e.g many AV products write info into email headers. Is that what this option refers to?

    It is very hard for a newbie to have a thorough understanding of all these policy settings when ESET uses only a few words to describe them. I can guess on what many of the settings do, but that can be risky when you are deploying to hundreds or thousands of machines! IMO there needs to be more documentation on every setting.

    I am still hoping Marcos can answer my last set of questions...
     
Thread Status:
Not open for further replies.