Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Large file created on "I2_LDVP.TMP" folder

  • 1.  Large file created on "I2_LDVP.TMP" folder

    Posted Apr 10, 2013 08:28 PM

    Hi,

    I have a SQL cluster server that is running Windows Server 2008 SP2 x64 now. SEP client version is 11.0.5002.333.

    My Server will generated a this temp folder (folder size = 498GB) and there is a temp file (12GB and growing) and taken up all my C: drive disk space during the weekly schedule scan job.

    Because of this issue, my server has hang for 2 times which caused by C: drive is 0 byte.

    For your information that my C: drive has 12GB free diskspace only and we don't know why the system is allow to create  a folder that will hold content for 500GB. Any idea?

    As I need to find out the root cause, I would like to ask for your help:

    1. Is there any way that I can monitor which file that symantec is trying to scan / extract?

    2. We do not have a single file that is 500GB, so we want to know what is the cause of this temp folder which required 498GB.

    3. Is there a way that we can force to stop the schedule scan if the system is trying to generate large file again?

    4. Is there any prevention that we can apply to our server?

    5. or any other possibility that may cause the temp folder grow so large?

     

    Appreciate for any helps.

    Thank you.

     

    BR,

    Kent



  • 2.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 10, 2013 08:35 PM

    The first step I would suggest is to upgrade to the latest version of SEP. For 11.x that version is RU7 MP3. If you can, I would suggest going to SEP 12.1, that current version is RU2 MP1.

    11.0.5 is a pretty old version and did have some bugs from what I remember.

    Same issue on this thread, which was fixed by upgrading:

    https://www-secure.symantec.com/connect/forums/i2ldvptmp#comment-7308031

    You can delete this file per this HOWTO:

    Files are left in the i2_ldvp.tmp folder after scanning

    Article:TECH99398  |  Created: 2001-01-13  |  Updated: 2011-11-21  |  Article URL http://www.symantec.com/docs/TECH99398

     

    Large files under "\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\i2_ldvp.tmp" folder.

    Article:TECH97520  |  Created: 2009-01-17  |  Updated: 2011-11-11  |  Article URL http://www.symantec.com/docs/TECH97520

    Check out the best practices for installing SEP on a SQL cluster

     

    Clustered SQL server support for the Symantec Endpoint Protection client.

    Article:TECH97020  |  Created: 2009-01-26  |  Updated: 2010-12-23  |  Article URL http://www.symantec.com/docs/TECH97020

     

    Installing a Symantec Endpoint Protection (SEP) client to a cluster server

    Article:TECH91154  |  Created: 2008-01-01  |  Updated: 2012-09-11  |  Article URL http://www.symantec.com/docs/TECH91154

     

    Either way, the suggestion is to upgrade.



  • 3.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 10, 2013 09:39 PM

    Hi,

    Large numbers of .tmp files are being created in the xfer_tmp or 7.5\xfer folder and are being detected as threats.

    http://www.symantec.com/business/support/index?pag...

     

    Check this thread

    https://www-secure.symantec.com/connect/forums/i2ldvptmp



  • 4.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 11, 2013 05:58 AM

    Hi Kent,

    "Thumbs up" to the recommendation to upgrade.  Definitely go to 12.1 RU2 MP1, if possible. 

    A reboot will usually delete the temp files that you are seeing.  As it's a SQL cluster, it should be possible to reboot one node at a time without any service interruption.

    Hope this helps!

    Mick  



  • 5.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 11, 2013 12:04 PM
    Hi all, Thanks for all the comments. I am predicting there will be a new incident on the next scheduled scan. We have the weekly schedule scan for long time and the 2 incident only happen in these 2 weeks. I really want to find out which file is scanning and it caused the 500GB folder created on the C: drive. Is there any tools from symantec that allow us to monitor which file is scanning or maybe which partition it is scanning? So, I can suggest to exclude the partition / files / folders from the SEP. Is there a way that I can force to stop the weekly schedule scan which the SEP is control by Central Policy? ie. "SMC -stop". So that I can stop the scanning immediately to prevent our SQL cluster server hang again (which the C: drive become zero disk space). Can someone please guide me for the troubleshooting? Because I really need the evidence for my management. Thank you so much for all the help.


  • 6.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 11, 2013 12:11 PM

    You would need to kill the rtvscan.exe process to stop the scan.

    Vpdeub logging should show what is being scanned

    How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

    Article:TECH102939  |  Created: 2007-01-15  |  Updated: 2012-03-13  |  Article URL http://www.symantec.com/docs/TECH102939

     

    Again, it is highly recommended to upgrade to the latest version as this issue has been fixed.



  • 7.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 11, 2013 12:18 PM

    There is no RTV scan in 12.1 its called CCsvchost.exe.

    you can do a 

    taskkill / s remotesystemname  /im ccsvchost.exe

    P.S: you need to disable tamperprotection before you could do that.

     

     



  • 8.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 11, 2013 12:20 PM

    He's on 11.x



  • 9.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 11, 2013 12:58 PM

    My bad I did not see that. yes Brian is right..its RTVSCAN.exe in 11.X



  • 10.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 13, 2013 12:09 AM

    Hi Brian81,

    I have enabled VPDebug=ALL, but it looks like the log didn't tell us what files are being scanning now.

    Is there any keyword to tell us which file is scanning now?

    =======================================================

    02:35:51.051527[_2384][_1968]|RDWRLOCK (00bd6314): Read lock (1).

    02:35:51.051910[_2384][_1968]|RDWRLOCK (00bd6314): Read release (0).
    02:35:51.052312[_2384][_1968]|RDWRLOCK (00bd6314): Reader write release.
    02:35:51.055733[_2384][_1968]|RDWRLOCK (00bd6314): Reader wait for write lock.
    02:35:51.056155[_2384][_1968]|RDWRLOCK (00bd6314): Reader write lock.
    02:35:51.056678[_2384][_1968]|RDWRLOCK (00bd6314): Read lock (1).
    02:35:51.057040[_2384][_1968]|RDWRLOCK (00bd6314): Read release (0).
    02:35:51.057483[_2384][_1968]|RDWRLOCK (00bd6314): Reader write release.
    02:35:51.060964[_2384][_1968]|RDWRLOCK (00bd6314): Reader wait for write lock.
    02:35:51.061427[_2384][_1968]|RDWRLOCK (00bd6314): Reader write lock.
    02:35:51.061910[_2384][_1968]|RDWRLOCK (00bd6314): Read lock (1).
    02:35:51.062734[_2384][_1968]|RDWRLOCK (00bd6314): Read release (0).
    02:35:51.063398[_2384][_1968]|RDWRLOCK (00bd6314): Reader write release.
    02:35:51.066839[_2384][_1968]|RDWRLOCK (00bd6314): Reader wait for write lock.
    02:35:51.067664[_2384][_1968]|RDWRLOCK (00bd6314): Reader write lock.
    ========================================================
    Is there any way that I can check / see what files are scanning now when the schedule scan job is running in background? Can we issue command to show the Scan GUI? So we can see what file are being scanning now. 
     
    I also found that if I do "End task" for RTVScan.exe, the SEP scan log will show that the job is still running. Is this normal?
     
    Thank you.


  • 11.  RE: Large file created on "I2_LDVP.TMP" folder

    Posted Apr 17, 2013 07:42 AM

    Hi

    Please refer the link below

    http://www.symantec.com/business/support/index?page=content&id=TECH97520&actp=search&viewlocale=en_US&searchid=1366198876755

    Regards