Endpoint Protection

 View Only
Expand all | Collapse all

Disk space issue due to Tamper protection alert in SEP 12.1

ℬrίαη

ℬrίαηJun 28, 2016 09:19 AM

Migration User

Migration UserJun 28, 2016 10:09 AM

  • 1.  Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 07:01 AM

    Hi All,

     

    We have noticed high disk space utlization on 10 different servers because of SEP client (Combination of SEP 12.1 RU2 and SEP 12.1 RU3 clients). While investigating it shows that the folder path C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK\ is accumulated with lot of files with large size and it piles up the disk space rapidly to more than 10GB and soon filling up the entire C drive space.

    As a work around we have deleted the files from the above location and disabled the submission to Symantec reputation database. We have not made any changes to the SEP environment and no upgrades/patches have been installed on these servers.

    Below is the event ID which shows the exact files which are filling up the hard disk space and we see these numerous events in the affected servers. Any help to investigate this issue is deeply appreciated. Not sure why Explorer.exe file is being detected as tamper protection detection security risk and why such files are being created in the above location. Please clarify. 

     

    EVENT ID:

    Scan type: Tamper Protection Scan Event: Tamper Protection Detection Security risk detected: C:\WINDOWS\EXPLORER.EXE File: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK\{FFFCD57B-8784-41E7-9246-24232B37FFE8} Location: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK Computer: AZ50MFGFGRD03 User: AZ50-CIMFDC-SVC Action taken: Leave Alone Date found: Saturday, June 25, 2016 2:09:07 PM

     

    Regards,

    Senthil Srinivasan.



  • 2.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Broadcom Employee
    Posted Jun 28, 2016 08:06 AM

    Hi,

    Thank you for posting your query on Symantec community.

    This can cause due to two reasons:

    • The machine does not have access to the internet, or communication to the internet is broken.
    • This may also be caused by a rapid increase in submissions due to a threat outbreak or false positive detection. 

    Try the following steps:

    1. Purge the Folder: Disable Tamper Protection through Symantec Endpoint Protection client, or at the policy level from the Symantec Endpoint Protection Manager (SEPM.) Manually delete the contents of folder.(Re-enable Tamper Protection when finished)
    2. Change the Submissions Policy if there is no internet connection: Open the SEPM > Clients Icon > My Company (or parent policy of machine) > External Communication Settings.
    3. Update the policy

    If above steps did not help then upgrade to the latest release can be a possible solution., I will suggest upgrade 2-3 SEP clients to the latest version i.e. SEP 12.1 RU5 & verify.

     



  • 3.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 08:13 AM

    Hi Chetan,

    All these 10 servers did not have internet connectivity since the beginning and this issue occured all of a sudden on Saturday. Submission was enabled since the beginning. Also even if the internet connection is made available for these servers uploading enormous amount of data (10gb in one hour) will cause bandwidth issue. Please suggest what are these files and how to determine what exact application/file is causing if this is a false positive scenario.

    Regards,

    Senthil Srinivasan.



  • 4.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 08:18 AM

    Sounds like an issue with the product, run symdiag on it to see what it shows

    Download SymDiag to detect Symantec product issues



  • 5.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 09:18 AM

    Here is the symdiag log file. Unfortunately I do not have the log viewer, if you can help share it would be great.

    Regards,

    Senthil Srinivasan.



  • 6.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 09:19 AM

    There is no attachment



  • 7.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 10:09 AM
      |   view attached

    log file

    Attachment(s)



  • 8.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 10:22 AM

    It appears to be an issue with Submission Control Data (SCD).

    The SCD file controls the following settings:

    • How many submissions a client can submit in one day

    • How long to wait before the client software retries submissions

    • How many times to retry failed submissions

    • Which IP address of the Symantec Security Response server receives the submission

    Do these clients have Internet access to send info to Symantec?



  • 9.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 10:52 AM

    These clients do not have internet conectivity since the very beginning and the issue started to occur only from June 26th 2016.



  • 10.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 11:08 AM

    Also, your log shows these clients cannot connect to the SEPM, is that the case?

    The logs don't show any errors related specifically to this problem. I suppose it is possible that the SCD file definitions (6/9/16 rev. 32) could be corrupt or something wrong with them. It could also be a problem with the version you're running, you'd have to go back through release notes though to verify.

    May be best to open a support case.



  • 11.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 11:36 AM

    SEP > SEPM connectivity is fine. We have already opened a support case with symantec but no progress. May I ask what makes you think the defintion dated 6/9/16 rev. 32 could be corrupt because the issue started to occur only on june 26th 2016. But we could see lot of above events in the tamper protection alert in the event viewer if that can help. Below are the exact files (more than 500 different types of such files) in the location C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK\ which is the reason for the disk space issue.

     

    EVENT ID:

    Scan type: Tamper Protection Scan Event: Tamper Protection Detection Security risk detected: C:\WINDOWS\EXPLORER.EXE File: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK\{FFFCD57B-8784-41E7-9246-24232B37FFE8} Location: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK Computer: AZ50MFGFGRD03 User: AZ50-CIMFDC-SVC Action taken: Leave Alone Date found: Saturday, June 25, 2016 2:09:07 PM



  • 12.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 11:49 AM

    If you feel tamper protection is the issue, disable it temporarily to test it out and see what the result is.



  • 13.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 12:04 PM

    Yes, if the tamper protection is disabled there is no issue happening. Is there any way to findout what is triggering out these files to be accumulated in the above folder path ?



  • 14.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 28, 2016 12:07 PM

    One or two of the clients should have advanced SMC debug logging enabled and the issue replicated so that it hopefully appears in the log for support to review.



  • 15.  RE: Disk space issue due to Tamper protection alert in SEP 12.1

    Posted Jun 29, 2016 07:59 AM
      |   view attached

    Hi,

    we found the files and see it is caused Advanced heuristic detection submission. These files are the same for years and not sure why all of a sudden it is trying to submit these files to symantec and filling up the disk space.

    any help would be greatly appreciated.