Low disk space on a Symantec Endpoint Protection client

Article:TECH212722  |  Created: 2013-11-22  |  Updated: 2014-12-05  |  Article URL http://www.symantec.com/docs/TECH141811
Article Type
Technical Solution


Issue



The operating system indicates that there is low disk space on a system running Symantec Endpoint Protection client.  The system has poor performance.


Solution



Note: To check if this issue exists or has been resolved on the computer in question, download and run SymHelp

Low disk space is a common problem with a wide variety of possible causes.  Running low on disk space is both an issue and a cause of multiple potential issues.  Unless the operating system or some other program provides an alert, it may not be recognized that low disk space is influencing the unwanted behavior that is observed. 

To determine if any data created by Symantec Endpoint Protection is using an unusually large amount of disk space review the list of data points (files or folders) below and what steps are recommended should those data points be determined to be of an excessive size.  Excessive size is indicated by checking the file or directory resource against the given threshold.  The threshold is based on a reading of telemetry from previous runs of SymHelp across customer environments.  The threshold is set to that value for the file or directory size which is exceeded by only the top 5% of customer systems.  If your system exceeds this threshold, then it is recommended that you take troubleshooting steps outlined in the action section for that file or directory.  The threshold is a value that is somewhat arbitrary although it is set based on measurement of deployed customer systems.  It is meant only to provide some basis for determining whether it may be useful to treat the file or directory size as a potential product technical issue, but is not diagnostic of a definite product issue.
 
 
Machine AntiVirus (AV) Logs
 
Log Name
MMDDYYYY.log, where the log is labeled with the 8 digit date of the day of events the log contains
 
Default Locations:
  • 11.x and 12.0.x
    • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs
    • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\Logs
  • 12.1.x
    • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
    • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
 
Threshold (August 2014)
Directory > 1.17MB
Single log > 40MB
 
Actions
  • Examine the client logs to determine which of the daily logs are largest in size. Determine if these logs will be removed in due time by the normal log retention process. 
  • Consider if you need to decrease the number of days logs are retained and adjust the client’s group policy accordingly.
  • Examine the content of the logs to determine what sort of unusual activity is taking place that is causing excessive log file sizes. 
  • Consult with support prior to removing any Symantec product logs
 
 
USER ANTIVIRUS (AV) LOGS
 
Log Name
MMDDYYYY.log, where the log is labeled with the 8 digit date of the day of events the log contains
 
Default Locations:
  • 11.x and 12.0.x
    • Windows XP and 2003: C:\Documents and Settings\<user>\Local Settings\Application Data\Symantec\Symantec Endpoint Protection\Logs
    • Windows Vista, 2008, and above: C:\Users\<user>\AppData\Local\Symantec\Symantec Endpoint Protection\Logs
  • 12.1.x
    • Windows XP and 2003: C:\Documents and Settings\<user>\Local Settings\Application Data\Symantec\Symantec Endpoint Protection\Logs
    • Windows Vista, 2008, and above: C:\Users\<user>\AppData\Local\Symantec\Symantec Endpoint Protection\Logs
 
Threshold (August 2014)
Directory > 3.88MB
Single log > 10MB
 
Actions
  • Examine the client logs to determine which of the daily logs are largest in size. Determine if these logs will be removed in due time by the normal log retention process. 
  • Consider if you need to decrease the number of days logs are retained and adjust the client’s group policy accordingly.
  • Examine the content of the logs to determine what sort of unusual activity is taking place that is causing excessive log file sizes. 
  • Consult with support prior to removing any Symantec product logs
 
 
VIRUS DEFINITIONS DIRECTORY
 
Directory Name
VirusDefs
 
Default Locations:
  • 11.x and 12.0.x
    • Windows XP and 2003: C:\Program Files\Common Files\Symantec Shared
    • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Definitions
  • 12.1.x
    • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
    • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
 
Threshold (August 2014)
11.x and 12.0.x: Directory > 5.1 GB
12.1.x: Directory > 2.0 GB
 
Actions
-TECH210694: Run SymHelp to determine if the virus definitions are corrupted
-TECH180056: Known issue of multiple virus definition sets on pre-12.1.2000 SEP clients
-TECH103956: Determine if there is a configuration change that might improve drive space usage (11.x)
-HOWTO59193: Clear out the virus definitions as a troubleshooting step (12.1.x)
-TECH103176: Clear out the virus defintions as a troubleshooting step (11.x)
 
 



Article URL http://www.symantec.com/docs/TECH141811


Terms of use for this information are found in Legal Notices