I’m trying to collect all the elements to get a conclusion. But looks the real conclusion.
Avast published a new version some weeks ago, we are still migrating users to the NS/domain and upgrading the AV.
The AV, is configured (isn’t by default) to scan the network shares, and when the AV is upgraded it scans and “hits” each .exe file on the shared folders.
This shared folders has a lot of program files, one is the “setup” share for a lot of software that we need, our ERP by ex. need them (activeX files, dll, setup, you name it).
The “lucky hint” was that some new joined users don’t need to use those files (ever), so I began to wonder the reason. That is when the AV came to the scene.
After some updates-reboots of the (Proxmox/NethServer) servers, and seeing the hits of that users, I remember to check the SambaAudit logs, yikes! thousands of entries in the logs, not, I mean hundred thousands of entries, that’s “normal”? I don’t think so.
Lucky me, the first entries in the SambaAudit logs are users that don’t need the ERP software and they where the last on the AV upgrade process.
Quickly, I disable the auditing of the shared folders. (Friday night)
On Saturday, the load now is normal, yes!, On Monday, the same, I can see network load graph a little heavy, but I don’t see the audit logs be bombed by the AV artillery.
I can’t disable the AV network scan, we where hit twice, and I found the guilty users (both wife and husband), but I can’t make then to pay for their sins, yet.
I will create some filters on the AV, to disable the scan on that network shares, by another pinch of luck that shares are accessed but not need to be mounted.
Regards
—Note # 1:
This graph show the year in the interface, you can see the traffic grows when users and added and how the AV/Audit is ruining my day:
—Note # 2:
AV filters to ignored the folder shared has been created.