C drive filling up with nsebin and nvebin files

If you're noticing a ton of tmp files in c:\windows\temp\ that are around 300mb and start with nsebin or nvebin, this is likely an issue with the Norman update engine used by Forefront. Microsoft is aware of this issue and is looking into a fix, but until then you may need a temporary resolution. The simplest fix is to disable the Norman engine update as long as you are using other engines. You can do this through the UI, or by using the following powershell script via the Forefront Management Shell. The first step in this script may take a few minutes to complete, so be patient. set-fsspenginemanagement -OverrideAutomaticManagement $true set-fsspsignatureupdate -engine norman -EnableSchedule $false get-ChildItem $env:WINDIR\temp\*.* -include nsebin* | foreach ($_) {remove-item $_.fullname} get-ChildItem $env:WINDIR\temp\*.* -include nvebin* | foreach ($_) {remove-item $_.fullname} ***Update*** Microsoft has fixed the issue. Details below from: http://social.technet.microsoft.com/Forums/en-US/FSENext/thread/ca55530e-3850-49a0-9cd6-2ffd562301ce#cc713345-acca-458b-9bfe-4c847f21ceaf What do you need to do?: Just wait for the next scheduled Norman engine update or manually initiate one. In fact, it may have already taken place depending on your current engine update schedule. Possibly remove a few nsebin.def files manually that remain after the update takes place. This will be a one-time action after the update and depends on if you’ve disabled the Norman engine updates over the past few days while you waited for the fix. If you have disabled the Norman engine updates then you should not need to clean up anything manually because it hasn’t been updating and generating newer files. The fix will remove all of these older files. If the engine updates were never disabled there will be a few nsebin.def files that were created that you can safely remove. The fix is unable to remove these few more recent files. Services do not need to be stopped to remove these older files because they are no longer in use. Nothing additional should need to be done after that moving forward. What the fix will do?: It will create a new directory under the Windows\Temp directory called nsetmp. This will be the new directory for ALL Norman engine related files moving forward. As stated above the fix will remove almost all of the older problematic nsebin.def files (~325mb each) from the Windows\Temp directory. The nsebin.def files from the past day or so will not be removed by the fix BUT are safe for you to delete manually after the update takes place. If you have not cleaned up any of these files yet then this will be a significant amount of files and disk space that will get cleared. No new nsebin.def files will be created in the Windows\Temp directory after this fix is in place. The only nsebin.def files you should see being created from here on is the one current nsebin.def file that will be in the Windows\Temp\nsetmp directory after each update. That is the file that will be in use by the engine. The older nsebin.def files in the nsetmp directory will get removed properly on each subsequent successful Norman update. If you’re running Windows Server 2003 you will not see the nsetmp directory and the nsebin.def files will continue to be written to the Windows\Temp directory. You will not need to take any steps as the previous nsebin.def files will be properly removed. The fix will not remove any Norman version 6.x files if by chance they exist. If you see any of these files they too are safe to delete at any time. These would be the nvcbin.def.xxx.tmp files. How do I know I have the fix in place? The new Norman engine version will be 7.1.8. You will see that as the Engine version value for the Norman engine in the UI in FPE. In FSE you’ll see 7.1 for the engine version in the UI. You might need to check the details of the nse32.dll in the Norman engine bin directory to confirm that you have the fix. The details of that .dll will show a version of 7.1.8.0. However, if the Norman engine has updated successfully any time after this post you can be fairly certain you have the new update.