Hi All,
We have noticed high disk space utlization on 10 different servers because of SEP client (Combination of SEP 12.1 RU2 and SEP 12.1 RU3 clients). While investigating it shows that the folder path C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK\ is accumulated with lot of files with large size and it piles up the disk space rapidly to more than 10GB and soon filling up the entire C drive space.
As a work around we have deleted the files from the above location and disabled the submission to Symantec reputation database. We have not made any changes to the SEP environment and no upgrades/patches have been installed on these servers.
Below is the event ID which shows the exact files which are filling up the hard disk space and we see these numerous events in the affected servers. Any help to investigate this issue is deeply appreciated. Not sure why Explorer.exe file is being detected as tamper protection detection security risk and why such files are being created in the above location. Please clarify.
EVENT ID:
Scan type: Tamper Protection Scan Event: Tamper Protection Detection Security risk detected: C:\WINDOWS\EXPLORER.EXE File: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK\{FFFCD57B-8784-41E7-9246-24232B37FFE8} Location: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\CmnClnt\ccSubSDK Computer: AZ50MFGFGRD03 User: AZ50-CIMFDC-SVC Action taken: Leave Alone Date found: Saturday, June 25, 2016 2:09:07 PM
Regards,
Senthil Srinivasan.