Endpoint Protection

People,

Why is that in my C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Install\Logs there are multiple .DMP files each 1.4 GB like:

ccSvcHst-12.11.3.11-2014-12-13-17-52-50-294-1320.dmp

ccSvcHst-12.11.3.11-2015-01-02-16-18-21-793-1320.dmp

ccSvcHst-12.11.3.11-2015-01-07-20-00-56-831-1320.dmp

How to safely delete it ? because as DOMAIN\Administrator I still cannot delete it, even when I stop the SMC (smc -stop) and right click disable the SEP client.

Thanks.

You should move to 12.1.6 to fix it completely, see this link for full details:

.dmp file accumulation causes low disk space on Endpoint Protection clients

If you can't upgrade yet, they should be safe to delete. You also need to disable clients from creating the dumps.

This problem is fixed in Symantec Endpoint Protection (SEP) 12.1.6 (RU6). To obtain the latest version of SEP, see Download the latest version of Symantec Endpoint Protection.

To work around this problem until you can upgrade, manually disable SEP clients from generating memory dumps.

1. Disable Tamper Protection
2. In the Windows registry, navigate to the following key:

   HKEY_LOCAL_MACHINE\SOFTWARE(\Wow6432Node)\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler (HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\Debug\CrashHandler on32-bit Operating Systems)

3. Set the following DWORD values to 0:
   • DumpOnException
   • DumpOnInvalidParameter
   • DumpOnNew
   • DumpOnPurecall
   • DumpOnSecurity
4. Restart smc.
5. Enable Tamper Protection.

Note: After migrating or working around the problem, you will need to remove the .dmp files already on the computer.

https://support.symantec.com/en_US/article.TECH227...

thanks guys, so what do I need to do here ?

manually perform inline SEP client upgrade and then reboot the client OS ? is that all ?

You need to upgrade client and remove manually .dmp file

or perform above steps for problematic system

Note : After migrating or working around the problem, you will need to remove the .dmp files already on the computer.

You may not be able to delete these files manually until you disable "Tamper Protection".

Before you attempt to delete the files, disable "Tamper Protection" on SEPM /SEP client and then stop the SEP client services on the affected machine using the command "smc -stop" and then try to delete these files.

Even after upgrade those files still need to be removed. The upgrade should provide teh true fix and not allow it to happen again.

Hello,

We have the same issue with RU5 and the workaround that we are using is to delete these DMP files with a script.

Just create one folder, put there Psexec.exe, create a file called List.txt and put there the machines on which you want to delete the DMP files and also create CMD file (which you have to execute) with the following content:

@setlocal EnableDelayedExpansion
@set file=list.txt
@FOR /F %%i IN (%file%) DO (
@set PC=%%i

@echo !PC!
@time /t
@echo off
@psexec.exe \\!PC!  cmd /c del /f /q "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Install\Logs\*.dmp"

)
@EndLocal
@Echo on
pause

This works fine for us.