nsebin.def files filling up C:\Windows\Temp folder; norman scan engine update issue in Microsoft Forefront
Recently bumped into problem where an exchange 2010 server was running low in disk space on the C drive. After checking all aspects like exchange database location, log files, shadow copies and page file, in the end it was the C:\Windows\temp folder, there were a bunch of tmp files with the name nsebin.def files similar to below but too many in numbers
A quick Google search led me to this post on technet: http://social.technet.microsoft.com/Forums/en-US/FSENext/thread/ca55530e-3850-49a0-9cd6-2ffd562301ce
This problem is due to a recent bug on the Norman Scan Engine update which surfaced around 25/4/2013 following which older nsebin.def files weren’t removed and hence the build up. One can certainly imagine what this might do to a 40Gb System drive partition as each of these of files were around 320Mb and downloaded twice a day if you have forefront downloading automatically for you.
The solution as of now is to delete the nsebin.def files as and when you get low on space, there is no need to restart any services for this, just get in there and DELETE, do not delete the nse_temp files.
As there is no fix yet, as suggest on the post, disable the Norma Scan engine and update schedules as below in Forefront:
One has also suggested rebuilding the Norman Engine folder to get Forefront to automatically fix this, but this hasnt worked for me, but you are welcome to try.
Rebuild Norman Engine Folder:
To do this locate the Norman folder C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Norman or on a different drive where you installed forefront and rename the folder to Norman.old
Once done renaming, open the forefront console and force an update by going to Policy Management > Global Settings > Advanced Options > Update Scheduling section, right click the Norman engine there and select update now.
You should now see a new Norman folder created, but the problem is the old def files are still there.
MS is still working on this and I will update this post when I find out that my problem has been fixed.
update 13/5/13: Still nothing from MS, I have left Norman scan engine and update schedule disabled.
update: 15/5/13: MS have released a fix, if you have disabled the scheduled update, enable it.