Jump to content

Lots of Files in Temp Dir hold open by a2guard

iammike

By iammike,
in Emsisoft Anti-Malware Home

 Share

Recommended Posts

iammike

iammike

Posted
Posted (edited)

With the new version (10.0.0.5361) I am seeing that a2guard is creating files (with random names 32 chars in length and ending with .tmp) in the users temp dir which are locked.

 

Everytime I open EAM it's creating more and more (at the moment 26 already) and the filesize is increasing.

 

Why is this ?

 

Edit: When Closing EAM "Security Overview" Window, the number of files that are locked go down to 11.

Edited by iammike
Link to comment
Share on other sites
iammike

iammike

Posted
  • Author
Posted

Those files are created by the error reporting component we use and nothing to worry about.

Oke, but can you do change it that it logs to a Subdirectory as "JeremyNicoll" suggests to make it obvious that the files are created by EAM ?

 

<snip> If EAM must create these things, could it please do it in an Emsi subdirectory of %TEMP% so that they are easier to ignore?

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

We do use a whole lot of "anonymous temporary files" and always have. Especially when unpacking archives during scans. I guess you simply didn't notice them before since unlike these new files they aren't there all the time. That being said, we decided to roll back to an older version for a different reason. So at least for the immediate future you won't have to deal with those temporary files anymore.

Link to comment
Share on other sites
JeremyNicoll

JeremyNicoll

Posted
Posted

I have no problem with an app creating a temporary file, using it, and then deleting it.  But - for me - any app that creates files which hang around for long periods of time should ideally do so in a way that identifies what created it.  I really dislike apps that don't clean up temporary files after the app ends.   Many users, especially naive ones, end up with thousands of files in TEMP.  I don't; I prune them either manually or in the past (before W8 which I've not yet got all my normal scripts running in) automatically.  If an app starts creating files there, I will usually look at the files, and their time of creation, and see if I can understand why they are there.  Was something being installed for example?  Is such a file a log for some update being applied?  (If so I will rename it and keep it, if the thing being updated is significant).   

 

If you've turned the feature off, I thank-you.

Link to comment
Share on other sites
Pilis

Pilis

Posted
Posted (edited)

Isn't that what this Temp-directory (%USERPROFILE%\AppData\Local\Temp or %TEMP%) is for? A place where third-party programs can store their temporary files. Many many other programs temporarily store some files in there. There are all sorts of log-files getting created during installation or while updating a software.

I'm not sure what's the reason to "manage" those files other than regularly deleting the content of that folder (or letting Windows do that job for you).

 

Edit: You were faster, JeremyNicoll.

Edited by Pilis
Link to comment
Share on other sites
JeremyNicoll

JeremyNicoll

Posted
Posted

I keep log files (indeed in earlier versions of Windows I had registry keys set so that every MSI install would create a verbose log there even if not configured to do so), along with notes of what was being updated and when, because it's a useful resource for diagnosing problems.   'Managing' the files means deleting most of them, but keeping an eye on what gets created to see if some app has changed its behaviour, or perhaps some aspect of the OS has suddenly gone wrong or got turned on.   But if the owner/creator or files that get created in TEMP cannot readily be identified it's much harder to be properly aware of what's going on.   I wouldn't "let Windows" delete such files for me because it will not be intelligent about deciding which ones to delete.

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

I have no problem with an app creating a temporary file, using it, and then deleting it.  But - for me - any app that creates files which hang around for long periods of time should ideally do so in a way that identifies what created it.

It is not like these files are hanging around. They are created on process start to swap some information that is exceptionally rarely used and that would otherwise be kept in RAM to disk. They are also created with the "Delete On Close" flag set. So the files are deleted by the file system driver automatically the moment the process that opened them either releases its file handle to the file or closes. So even if the process crashes because of an error before it could clean up, the file still ends up being deleted properly. The only way you can realistically end up with left over files from this is either a power outage or a blue screen. But in both these cases you likely have other, bigger problems.

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

The files ARE hanging around; in TEMP now I see eleven of these files, all of which were created more than 8 hours ago.

And when you close EAM they are gone? So how exactly is that "hanging around"? Do you object to the fact that they are there while they are used?

Why aren't they in RAM taking advantage of virtual memory?

I would assume you mean paging? Paging can be disabled by the user. You also, as an application developer, don't have full control over the paging algorithm that Windows uses. Maintaining your own file gives you more control, which usually results in much better performance as you can optimize your own paging strategy to your specific workflows and requirements.
Link to comment
Share on other sites
JeremyNicoll

JeremyNicoll

Posted
Posted

The thing is, I never close EAM, except when I shutdown the machine.  So what you're saying is that there will always be 11 weird-named files in temp...    As for managing priority in paging, doesn't the OS page-out little-used pages - surely it's meant to?   And you said that whatever's in the files is "some information that is exceptionally rarely used", but now you're saying you need to be able to control the files/pages for performance reasons.  Why does performance matter for little-used data?

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

The thing is, I never close EAM, except when I shutdown the machine.  So what you're saying is that there will always be 11 weird-named files in temp...    As for managing priority in paging, doesn't the OS page-out little-used pages - surely it's meant to?   And you said that whatever's in the files is "some information that is exceptionally rarely used", but now you're saying you need to be able to control the files/pages for performance reasons.  Why does performance matter for little-used data?

Because they are rarely used, the conservative approach of the standard Windows paging mechanism is not the best choice. It tries to keep as much stuff in memory. We know however, that in 99% of all cases, we won't need that data during our process life time at all, so it really should be paged out immediately.

Anyway, it's not the existence of the files that annoys me so much as their random names.

Which is essentially personal preference. So unless we make the name of the temp files configurable there will always be someone who will be "annoyed" by the chosen file names.
Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

Aw, come off it.  "Personal preference" for app-specific names?

Well, you are the one that gets annoyed by randomly generated temporary file names. The same way you are annoyed by random file names, is it unfeasible that someone else is annoyed by whatever your preferred naming scheme is? In the end, I could understand being upset if we would completely clutter up the drive, because files aren't removed properly. But the way it is set up at the moment, files are removed properly. They just don't have a name you like. If that isn't personal preference, I don't know what is.

Bottom line is, even if we wanted to change it, we can't. It is unlikely that we will change error logging components because of your objections to the temporary file naming scheme either. We have suggested to the component provider to add a way to make at least part of the file name configurable. Whether he wants to spend resources on such a request is up to him and beyond our control. If he decides to implement it and if we can take advantage of such a feature without much effort on our part, we will consider it. In all other cases, we won't.

Link to comment
Share on other sites
JeremyNicoll

JeremyNicoll

Posted
Posted

The point is that a script reading the contents of TEMP to decide which files to delete cannot identify these files as EAM ones.  That's why I'd prefer a subdirectory name (or as someone else suggested an initial literal).  I don't get the impression that I'm the only person who thinks this way.

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

A script couldn't remove those files anyways even if it wanted to, as they are locked and in use by the process that created them. If they weren't in use, they wouldn't exist anymore due to the fact that the Delete On Close flag was set when the file was originally created. If they exist, they are in use. If they aren't in use, they don't exist. Deletion is enforced by the operating system. The only way you can end up with orphaned temporary files are a power outage or a blue screen as mentioned before.

Link to comment
Share on other sites
JeremyNicoll

JeremyNicoll

Posted
Posted

I understand that "A script couldn't remove those files anyways", but the script is not able to identify which files it should not try to delete.   I don't generally program scripts so that they try things and rely on failure to bypass that attempt, but instead to identify items that shouldn't be processed.   I don't know if a failed attempt to delete something generate (say) an event record, but I'd be amazed if there wasn't some record in WMI or somewhere that a process tried to delete a locked file.  In some other OSes such an attempt would produce a session-disrupting error.

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

I don't know if a failed attempt to delete something generate (say) an event record, but I'd be amazed if there wasn't some record in WMI or somewhere that a process tried to delete a locked file.

It is possible to audit file system events, but it has to be enabled beforehand. It is not enabled by default. You could actually use that very mechanism to track which process created which file to feed your cleanup script. That would surely beat trying to assign them by name.

If you don't want to do that for your script, the best approximation to detect files is to match the file name via regex. ^[0123456789ABCDEF]{32}\.tmp$ should do the trick just fine. It is not perfect. But then again, neither would be "tagging" files somehow. We are not the only one using the a2 prefix.

 

In some other OSes such an attempt would produce a session-disrupting error.

In some other OSes the temporary files folder would be stored in shared memory and we wouldn't have this conversation.
Link to comment
Share on other sites
iammike

iammike

Posted
  • Author
Posted

Thanks for reverting to an older version, but I for one (and I am not alone) would like to see those files created in a Subdir (like a2temp) which you already do now with the sigs.

 

The reason why I want this, is not that I want my TEMP look nice and tidy, but it was a shock to me what those files where ?

 

Did I got a virus ? etc etc etc. Fortunately I know how to identify those locked files, but many users will not be able to and thus this could lead to more support calls.

 

But as Peter2150 said, "No matter how much you kick a dead horse it  ain't getting up."

Link to comment
Share on other sites
JeremyNicoll

JeremyNicoll

Posted
Posted

Auditing file system events sounds good (computing-wise much of my professional life was spent in large IBM mainframe sites where this sort of logging happened as a matter of course, making it possible to determine who damaged a file weeks or months after the event)...  Of course the volume of data collected in those logs was vast, but it was also very useful, for those allowed to read it.

 

I'm not sure I'd want to try to read W8's records in real time, for the %TEMP% monitoring script, but it's certainly something I'll pursue for general monitoring of what's going on in the system.  Like

so much else in Windows, finding out what's possible is half the battle.

 

 

[under XP, where I had 'Pro', I was able to turn on auditing of 'Security' events which included user login, process creation & termination.  That's really useful for seeing scripts, scheduled tasks etc starting & stopping especially as the Security eventlog record contained the full commandline and - along with debug logs created by my own apps that recorded the process-ids they were running under, one could track down what happened when on a system much more easily. 

 

My W8.1 system however, only has W8.1 Home on it, and although the OS support for creating audit records is present in W8.1 Home, the tool normally used to turn these things on and off - gpedit.msc - isn't available / supported for W8.1 Home (Google suggests that it might work, if you're lucky, if you copy the relevant files from a Pro/Ultimate/Enterprise system, if you can get access to one.

 

 

However I found a while ago that the command-line tool: auditpol.exe, run from an elevated command prompt DOES allow you to query and alter the settings for this sort of thing.  So for example:

 

Auditpol.exe /set /subcategory:"process creation" /success:enable
Auditpol.exe /set /subcategory:"process creation" /failure:enable

- are the commands I used here to turn on generation of eventlog records every time an OS process creation either works or fails; and


Auditpol.exe /set /subcategory:"process termination" /success:enable
Auditpol.exe /set /subcategory:"process termination" /failure:enable

- turns on generation of eventlog records for successful/failed process termination.

 

 

One can also see the whole set of what's enabled and disabled by, eg:

 

C:\Windows\system32>auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   Success and Failure
  User / Device Claims                    No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
  Removable Storage                       No Auditing
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 No Auditing
Detailed Tracking
  Process Creation                        Success and Failure
  Process Termination                     Success and Failure
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
Policy Change
  Authentication Policy Change            Success
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
  Audit Policy Change                     Success
Account Management
  User Account Management                 Success
  Computer Account Management             No Auditing
  Security Group Management               Success
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

C:\Windows\system32>

 

 

 

To get the full commandline logged when a process starts, I used the (excellent) tool at: http://gpsearch.azurewebsites.net/#10674

to find out how command-line logging is controlled.  It says

  System
     Auditing
        Include command line in process creation events

        HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

        Value: ProcessCreationIncludeCmdLine_Enabled

but this doesn't say what sort of value that should have.     I googled and found that  a  DWORD with value 1 is required.   After

creating that registry entry, my W8.1 Security eventlog records for process creation now contain the command lines.  Anyone

who runs complicated scripts that issue commands that run other scripts with varying commandlines will benefit from having all

of that logged!

 

 

Anyway, I expect that googling will tell me how to make use of file system auditing; I expect it can be made fairly granular, monitoring

either all files & all users, or specific subsets.

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

No reconsideration on this, only that it will be coming back ?

I made myself pretty clear: Even if we wanted to change it, we can't. It is unlikely that we will change error logging components because of your objections to the temporary file naming scheme either. We have suggested to the component provider to add a way to make at least part of the file name configurable. Whether he wants to spend resources on such a request is up to him and beyond our control. If he decides to implement it and if we can take advantage of such a feature without much effort on our part, we will consider it. In all other cases, we won't.

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 08/04/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...