Video Screencast Help

Large file created on "I2_LDVP.TMP" folder

Created: 10 Apr 2013 • Updated: 30 Apr 2013 | 10 comments

Hi,

I have a SQL cluster server that is running Windows Server 2008 SP2 x64 now. SEP client version is 11.0.5002.333.

My Server will generated a this temp folder (folder size = 498GB) and there is a temp file (12GB and growing) and taken up all my C: drive disk space during the weekly schedule scan job.

Because of this issue, my server has hang for 2 times which caused by C: drive is 0 byte.

For your information that my C: drive has 12GB free diskspace only and we don't know why the system is allow to create  a folder that will hold content for 500GB. Any idea?

As I need to find out the root cause, I would like to ask for your help:

1. Is there any way that I can monitor which file that symantec is trying to scan / extract?

2. We do not have a single file that is 500GB, so we want to know what is the cause of this temp folder which required 498GB.

3. Is there a way that we can force to stop the schedule scan if the system is trying to generate large file again?

4. Is there any prevention that we can apply to our server?

5. or any other possibility that may cause the temp folder grow so large?

Appreciate for any helps.

Thank you.

BR,

Kent

Operating Systems:

Comments 10 CommentsJump to latest comment

Brɨan's picture

The first step I would suggest is to upgrade to the latest version of SEP. For 11.x that version is RU7 MP3. If you can, I would suggest going to SEP 12.1, that current version is RU2 MP1.

11.0.5 is a pretty old version and did have some bugs from what I remember.

Same issue on this thread, which was fixed by upgrading:

https://www-secure.symantec.com/connect/forums/i2l...

You can delete this file per this HOWTO:

Files are left in the i2_ldvp.tmp folder after scanning

Article:TECH99398  |  Created: 2001-01-13  |  Updated: 2011-11-21  |  Article URL http://www.symantec.com/docs/TECH99398

Large files under "\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\i2_ldvp.tmp" folder.

Article:TECH97520  |  Created: 2009-01-17  |  Updated: 2011-11-11  |  Article URL http://www.symantec.com/docs/TECH97520

Check out the best practices for installing SEP on a SQL cluster

Clustered SQL server support for the Symantec Endpoint Protection client.

Article:TECH97020  |  Created: 2009-01-26  |  Updated: 2010-12-23  |  Article URL http://www.symantec.com/docs/TECH97020

Installing a Symantec Endpoint Protection (SEP) client to a cluster server

Article:TECH91154  |  Created: 2008-01-01  |  Updated: 2012-09-11  |  Article URL http://www.symantec.com/docs/TECH91154

Either way, the suggestion is to upgrade.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

K33's picture

Hi,

Large numbers of .tmp files are being created in the xfer_tmp or 7.5\xfer folder and are being detected as threats.

http://www.symantec.com/business/support/index?pag...

Check this thread

https://www-secure.symantec.com/connect/forums/i2ldvptmp

Mick2009's picture

Hi Kent,

"Thumbs up" to the recommendation to upgrade.  Definitely go to 12.1 RU2 MP1, if possible. 

A reboot will usually delete the temp files that you are seeing.  As it's a SQL cluster, it should be possible to reboot one node at a time without any service interruption.

Hope this helps!

Mick  

With thanks and best regards,

Mick

KentNg's picture

Hi all,

Thanks for all the comments.

I am predicting there will be a new incident on the next scheduled scan.

We have the weekly schedule scan for long time and the 2 incident only happen in these 2 weeks.

I really want to find out which file is scanning and it caused the 500GB folder created on the C: drive.

Is there any tools from symantec that allow us to monitor which file is scanning or maybe which partition it is scanning? So, I can suggest to exclude the partition / files / folders from the SEP.

Is there a way that I can force to stop the weekly schedule scan which the SEP is control by Central Policy? ie. "SMC -stop".

So that I can stop the scanning immediately to prevent our SQL cluster server hang again (which the C: drive become zero disk space).

Can someone please guide me for the troubleshooting? Because I really need the evidence for my management.

Thank you so much for all the help.

Brɨan's picture

You would need to kill the rtvscan.exe process to stop the scan.

Vpdeub logging should show what is being scanned

How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:TECH102939 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2007-01-15 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2012-03-13 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL http://www.symantec.com/docs/TECH102939

Again, it is highly recommended to upgrade to the latest version as this issue has been fixed.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

There is no RTV scan in 12.1 its called CCsvchost.exe.

you can do a 

taskkill / s remotesystemname  /im ccsvchost.exe

P.S: you need to disable tamperprotection before you could do that.

Brɨan's picture

He's on 11.x

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

My bad I did not see that. yes Brian is right..its RTVSCAN.exe in 11.X

KentNg's picture

Hi Brian81,

I have enabled VPDebug=ALL, but it looks like the log didn't tell us what files are being scanning now.

Is there any keyword to tell us which file is scanning now?

=======================================================

02:35:51.051527[_2384][_1968]|RDWRLOCK (00bd6314): Read lock (1).

02:35:51.051910[_2384][_1968]|RDWRLOCK (00bd6314): Read release (0).
02:35:51.052312[_2384][_1968]|RDWRLOCK (00bd6314): Reader write release.
02:35:51.055733[_2384][_1968]|RDWRLOCK (00bd6314): Reader wait for write lock.
02:35:51.056155[_2384][_1968]|RDWRLOCK (00bd6314): Reader write lock.
02:35:51.056678[_2384][_1968]|RDWRLOCK (00bd6314): Read lock (1).
02:35:51.057040[_2384][_1968]|RDWRLOCK (00bd6314): Read release (0).
02:35:51.057483[_2384][_1968]|RDWRLOCK (00bd6314): Reader write release.
02:35:51.060964[_2384][_1968]|RDWRLOCK (00bd6314): Reader wait for write lock.
02:35:51.061427[_2384][_1968]|RDWRLOCK (00bd6314): Reader write lock.
02:35:51.061910[_2384][_1968]|RDWRLOCK (00bd6314): Read lock (1).
02:35:51.062734[_2384][_1968]|RDWRLOCK (00bd6314): Read release (0).
02:35:51.063398[_2384][_1968]|RDWRLOCK (00bd6314): Reader write release.
02:35:51.066839[_2384][_1968]|RDWRLOCK (00bd6314): Reader wait for write lock.
02:35:51.067664[_2384][_1968]|RDWRLOCK (00bd6314): Reader write lock.
========================================================
Is there any way that I can check / see what files are scanning now when the schedule scan job is running in background? Can we issue command to show the Scan GUI? So we can see what file are being scanning now. 
 
I also found that if I do "End task" for RTVScan.exe, the SEP scan log will show that the job is still running. Is this normal?
 
Thank you.