SEP Client Directory Analysis
The directory C:\ProgramData\Symantec\Symantec should average between 1GB-2GB in size depending on the SEP client version 11 or 12.1, where the older version of SEP client consumes larger disk space.
- There are some known issues in SEP11 where the client sometimes overuse the disk space of the machine, it is recommended to upgrade those machines to version 12.1 to solve those issues.
- Please note that C:\ProgramData\Symantec\ might hold directories for other Symantec software, and this analysis was done for SEP client directory only (Version 12.1.671.4971).
A typical C:\ProgramData\Symantec\Symantec Endpoint Protection should contain the following folders:
02/24/2013 09:17 AM <DIR> 12.1.671.4971.105
02/19/2013 12:36 PM <JUNCTION> CurrentVersion
02/19/2013 12:36 PM <DIR> PersistedData
0 File(s) 0 bytes
5 Dir(s) 461,788,991,488 bytes free
This directory usually holds the folders for the current and previous versions of SEP, it is safe to delete old directories of old versions after confirming the current running version through SEP Client by following these steps:
SEP Client Main Screen -> Click on Help -> Click on About -> Check the version from the screen.
Clicking on the “CurrentVersion” shortcut will directly take you to the current version files, where that directory will hold the following:
02/19/2013 12:36 PM <DIR> Data
02/19/2013 12:36 PM <DIR> inbox
02/19/2013 12:36 PM 114 isolate.ini
02/25/2013 10:42 AM <DIR> SRTSP
The two folders inbox and SRTSP should not consume much space and they should not be deleted, however, must of the disk space problems comes from the folder “Data”.
A typical “Data” folder should reflect the following:
02/19/2013 12:36 PM <DIR> APTemp
02/19/2013 12:36 PM <DIR> BadPatts
02/25/2013 10:45 AM <DIR> BASH
02/19/2013 12:36 PM <DIR> Cached Installs
02/25/2013 01:03 AM <DIR> CmnClnt
02/25/2013 10:43 AM <DIR> Config
02/19/2013 12:36 PM <DIR> ContentCache
02/25/2013 12:22 PM <DIR> DB
02/25/2013 01:15 AM <DIR> DecTemp
02/19/2013 12:36 PM <DIR> Definitions
02/24/2013 09:18 AM <DIR> FeatureState
02/19/2013 12:36 PM <DIR> I2_LDVP.VDB
02/19/2013 12:36 PM <DIR> Install
02/19/2013 01:19 PM <DIR> IPS
02/25/2013 10:42 AM <DIR> IPSFFPlgn
02/25/2013 10:44 AM <DIR> IRON
02/19/2013 12:37 PM <DIR> Logs
02/19/2013 12:37 PM <DIR> Lue
02/19/2013 12:36 PM <DIR> Quarantine
02/19/2013 01:20 PM <DIR> SPManifests
02/19/2013 12:36 PM <DIR> SRTSP
02/19/2013 12:46 PM <DIR> State
02/19/2013 12:36 PM <DIR> SymDS
02/19/2013 12:36 PM <DIR> symnetdrv
06/17/2011 04:31 PM 743 SymPP.inf
06/17/2011 04:31 PM 7,664 SystemSnapshotRules.bin
02/19/2013 12:36 PM <DIR> xfer
02/19/2013 12:36 PM <DIR> xfer_tmp
“Data” Folder Detailed Directory Analysis
- APTemp - This directory should be clean be default.
- BadPatts - This directory should be clean be default.
- BASH - average file size should be around ~6.10MB. It is advised to not delete the contents inside the folder.
- Cached Installs - the size of this file varies from machine to machine, deleting the contents of this file will only replace them again with the same contents. it is not advised to delete anything from this file according to Symantec tech support.
- CmnClnt - This folder is reported to seize high capacity as it is responsible to check the reputation of the files with Symantec servers. Folders inside this directory usually sends the files to Symantec for checking if the machine has no access to the internet then this folder will increase in size rapidly. A solution to this problem could be found here: http://www.symantec.com/connect/forums/folder-12xxxdatacmnclntccsubsdk-has-large-size
- Config - a vital file that should not be deleted.
- ContentCache - This directory should be clean if there are no active processes in SEP.
- DB - There is no information available in Symantec knowledge base regarding this folder. However, database files by common technological sense should not be deleted as the client operationally relies on it.
- DecTemp - This folder should be clean by default. incase this file holds large files, then the machine should be restarted into safe mode to delete all files under DecTemp/i2_ldvp.tmp/
- Definitions - This folder should be 2GB in size for SEP 11 or around 900MBs for SEP 12+.
- FeatureState - This directory should be clean be default.
- I2_LDVP.VDB - This directory should be clean be default.
- Install - this folder usually holds the install logs. In my machine this folder is ~5MB in size. It is not recommended to delete this folder contents for future troubleshooting purposes.
- IPS - This folder should not be consuming lots of space. SEP will replace this folder if deleted. It is not recommended to delete this file.
- IPSFFPlgn - It is not recommended to delete this folder’s contents. Average size ~400KB.
- IRON - folder for the IRON definition DB, this folder should not be tampered with.
- Logs - This folder will increase in time depending on its age this file varies in size, technically it is not recommended to delete this folder.
- Lue - this folder should not consume much space. ~1MB max.
- Quarantine - AV quarantine directory. this folder should be cleaned up automatically depending on the Antivirus and and AntiSpyware policy.
- SPManifests - This folder is important for remote client installation through SEPM.
- SRTSP - It is not recommended to delete the contents of this folder as it might impact the operation of SEP client.
- State - Important for the communication between SEP client and SEPM. Should not be deleted.
- SymDS - Should be empty by default if there are no operations in process.
- symnetdrv - This folder holds important files, should not be deleted. Avg size 16-80Kb.
- xfer, xfer_tmp - should be empty by default. there are reports with problems in SEP11, where the folder will increase in size rapidly. in that case the only solution to the problem is to completely re-install SEP.