Low disk space on a Symantec Endpoint Protection client

Article:TECH212722  |  Created: 2013-11-22  |  Updated: 2014-08-28  |  Article URL http://www.symantec.com/docs/TECH141811
Article Type
Technical Solution


Issue



The operating system indicates that there is low disk space on a system running Symantec Endpoint Protection client.  The system has poor performance.


Solution



Note: To check if this issue exists or has been resolved on the computer in question, download and run SymHelp

Low disk space is a common problem with a wide variety of possible causes.  Running low on disk space is both an issue and a cause of multiple potential issues.  Unless the operating system or some other program provides an alert, it may not be recognized that low disk space is influencing the unwanted behavior that is observed. 

To determine if any data created by Symantec Endpoint Protection is using an unusually large amount of disk space review the list of data points (files or folders) below and what steps are recommended should those data points be determined to be of an excessive size.
 
 
Machine AntiVirus (AV) Logs
 
Log Name
MMDDYYYY.log, where the log is labeled with the 8 digit date of the day of events the log contains
 
Default Locations:
  • 11.x and 12.0.x
    • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs
    • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\Logs
  • 12.1.x
    • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
    • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
 
Threshold
Directory > 1.17MB*
Single log > 40MB
A directory that reaches over 1.17MB in size contains an unusually large amount of logged activity. An individual log size of over 40MB is unusually large.
*95th percentile (August 2014)
 
Actions
  • Examine the client logs to determine which of the daily logs are largest in size. Determine if these logs will be removed in due time by the normal log retention process. 
  • Consider if you need to decrease the number of days logs are retained and adjust the client’s group policy accordingly.
  • Examine the content of the logs to determine what sort of unusual activity is taking place that is causing excessive log file sizes. 
  • Consult with support prior to removing any Symantec product logs
 
 
USER ANTIVIRUS (AV) LOGS
 
Log Name
MMDDYYYY.log, where the log is labeled with the 8 digit date of the day of events the log contains
 
Default Locations:
  • 11.x and 12.0.x
    • Windows XP and 2003: C:\Documents and Settings\<user>\Local Settings\Application Data\Symantec\Symantec Endpoint Protection\Logs
    • Windows Vista, 2008, and above: C:\Users\<user>\AppData\Local\Symantec\Symantec Endpoint Protection\Logs
  • 12.1.x
    • Windows XP and 2003: C:\Documents and Settings\<user>\Local Settings\Application Data\Symantec\Symantec Endpoint Protection\Logs
    • Windows Vista, 2008, and above: C:\Users\<user>\AppData\Local\Symantec\Symantec Endpoint Protection\Logs
 
Threshold
Directory > 3.88MB*
Single log > 10MB
A directory that reaches over 3.88MB in size contains an unusually large amount of logged activity. An individual log size of over 10MB is unusually large.
*95th percentile (August 2014)
 
Actions
  • Examine the client logs to determine which of the daily logs are largest in size. Determine if these logs will be removed in due time by the normal log retention process. 
  • Consider if you need to decrease the number of days logs are retained and adjust the client’s group policy accordingly.
  • Examine the content of the logs to determine what sort of unusual activity is taking place that is causing excessive log file sizes. 
  • Consult with support prior to removing any Symantec product logs
 
 
VIRUS DEFINITIONS DIRECTORY
 
Directory Name
VirusDefs
 
Default Locations:
  • 11.x and 12.0.x
    • Windows XP and 2003: C:\Program Files\Common Files\Symantec Shared
    • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Definitions
  • 12.1.x
    • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
    • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
 
Threshold (95th percentile: August 2014)
11.x and 12.0.x: Directory > 5.1 GB
12.1.x: Directory > 2.0 GB
 
Actions
-TECH210694: Run SymHelp to determine if the virus definitions are corrupted
-TECH180056: Known issue of multiple virus definition sets on pre-12.1.2000 SEP clients
-TECH103956: Determine if there is a configuration change that might improve drive space usage (11.x)
-HOWTO59193: Clear out the virus definitions as a troubleshooting step (12.1.x)
-TECH103176: Clear out the virus defintions as a troubleshooting step (11.x)
 
 



Article URL http://www.symantec.com/docs/TECH141811


Terms of use for this information are found in Legal Notices