Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Problem with the folder content of Inetpub, some gigabyte !!!

Created: 22 Apr 2008 • Updated: 21 May 2010 | 25 comments
MaxBosss's picture

    Hello everyone

    I install the last product of Symantec (Endpoint Protection) since for some months and i've got a problem. My             folder "Content" of C:\Program Files\Symantec\Symantec Protection manager\Inetpub occupes several                      gigabytes on my server. I know that i can delete manually the folders but i think it's not the real solution.

    Thanks for you help.

     Good Afternoon

   

Comments 25 CommentsJump to latest comment

Eduardo Menegalli Nazato's picture

Same problem here.
The folder C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content is occupying 24Gb :smileysad:

Can I just delete the bigger folders?

Abhishek Pradhan's picture

Please upgrade to MR-2 if not already done. This issue has been fixed in MR-2.

Otherwise, you can refer to the following -


 https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=1347&query.id=66376#M1347

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Eduardo Menegalli Nazato's picture

Our server is already MR2, and we only found this problem after upgrading it to MR2

We've deleted all the "digit named folders", but now the clients stopped receiving the definitons updates. I've executed Rx4Defs on the SEPM server, but even it's client (SEP 11 MR2) stopped on November 07 definitions :smileyindifferent:

Eduardo Menegalli Nazato's picture

No news here?

So, a motivation:


Yesterday, after a forced "Update Content", 4 computers were updated to date (2008-04-22), but 3 of them automatically downgraded to the 2008-04-21 definitions, as you can see



Message Edited by Eduardo Nazato on 04-23-2008 04:27 PM

TZ's picture
MR2 did not fix this.  We are still having that problem too.
Eduardo Menegalli Nazato's picture

Just to remember: it's getting worse, ok

The SEPM server is up-to-date, but the most up-to-dated client is using the definitions from 2008-04-21

Thank you a lot, Symantec!

Raider1's picture

MR2 installed and guess what my content folder is still growing (13gb ) and after clearing it out as suggested on this forum by a Symantec employee now my clients wont update the virus def unless I force them via the SEPM. Thanks Symantec your the best!

Abhishek Pradhan's picture

I've got a question w.r.t. to this issue - had anyone amongst you implemented the semi-fix we used to implement before MR-2 came out? In case you did not do that, you may try to implement the semi-fix to try and resolve this issue.

I'm giving it FYI here -

To adjust the number of content updates stored by Symantec Endpoint Protection Manager
Open the \Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties file.
Add the following setting to the file, (the example uses a value of 5, adjust the value as necessary, the default value is 10 if no entry is present)

scm.lucontentcleanup.threshold=1

Close the conf.properties file and click Yes to save your changes.
Click Start > Run.
Type services.msc and click OK.
Right-click on Symantec Endpoint Protection Manager, and click Restart.
Close Services.

Within a short period of time the numbered content folders should adjusted to the value that you selected, the example below is based on a value of 5:

\Program Files\Symantec Endpoint Protection Manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}\
71016009
71019009
71020006
71021005
71022017


Add the line scm.lucontentcleanup.threshold=x (preferably between 1 to 5, since 10 is the default value) to the end of the conf.properties file.
Stop the SEPM service.
Navigate to the content folder, and then from each of the folders present under the CONTENT folder, go in and delete ALL the sub-folders with names in DIGITS.

Hope this helps. In case it doesn't, please post here so we can try to find a solution to this.


Then RESTART the Server which has the SEPM installed, and then start the SEPM service again

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Eduardo Menegalli Nazato's picture

Thank you for the attention Abhishek... I do tried these steps, with a guy from Symantec tech support on the phone (who actually send them for me). It did fixed the Content folder growing issue, but it lead me to the other problem, which is the non-updating clients.

The Symantec support staff talked to me on the phone for about a week, and they couldn't fix this new problem. Now they want me, for the 3rd time, to rebuild the whole SEPM server :smileysad:

Abhishek Pradhan's picture

Hi Eduardo,

Why dont you PM em the case number that you have open, and we'll get something worked out.


Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

doctortt's picture
Will this problem occur in a fresh install of SEP 11.0.2 MR2? We just started using this product last week.
Raider1's picture

I did implement  the scm.lucontentcleanup.threshold=1 fix before I applied MR2 and it seem to work but after installing MR2 it started doing it again so maybe I need to apply it again. But I am still having the problem were my client’s wont update unless I do it manually. I am to the point where I am going to write a script just to launch LiveUpdate on each machine via the Scheduled task but I should not have to apply workarounds for things that the software should be doing in the first place.

Abhishek Pradhan's picture

Hi Raider,

In case you are unable to do the LiveUpdate automatically, chances are that the Folder Structure has been corrupted since wrong folders were deleted.

In this case, I'd recommend taking a backup of the DB, the keystore.jks and server.xml files as outlined below, and then uninstalling the SEPM and then doing a fresh install of the SEPM to resolve the issue.



ON THE OLD INSTALLATION
Copy the "Server Private Key Backup folder" from:
\\ProgramFiles\Symantec\ Symantec Endpoint Protection Manager\Server Private Key Backup


Paste it to another storage area (as it will be deleted during Symantec Endpoint protection Manager uninstall)
Copy the "Data folder" from:
\\ProgramFiles\Symantec\ Symantec Endpoint Protection Manager\Data


Paste it to another storage area.
Copy the "sem5.db" database file from:
\\ProgramFiles\Symantec\ Symantec Endpoint Protection Manager\db


Paste it to another storage area.
Make a note of the "Encryption Password" used during the install.



ON THE NEW INSTALLATION AFTER THE DISASTER RECOVERY  OF OPERATING SYSTEM (OS)

Ensure that the server has the same IP Address and Host Name the Operating System has been Installed.
Install the "Symantec Endpoint Protection Manager" with the "Embedded Database."
Enter the "Encryption Password" that was used on the old "Symantec Endpoint Protection Manager" installation.
Log in to the Console
Click Admin.
Select Tasks> Servers.
Under "View Servers", expand Local Site.
Click the <computer name> that identifies the local site.
Select Tasks.
Click Manage Server Certificate.
In the "Welcome panel", click Next.
In the "Manage Server Certificate panel", select Update the Server Certificate
Click Next.
Under "Select the type of certificate to import", select JKS keystore.
Click Next.
Note: If one of the other certificate types has been implemented, select that type.


In the "JKS Keystore panel", click Browse.
Locate and select the backed up "keystore_<timestamp>.jks" keystore file.
Click OK
Open the "server_<timestamp>.xml" file
Select and copy the "keystore password."
Activate the "JKS Keystore" dialog box.
Paste the "keystore password" into the "Keystore" and "Key boxes."
Note: The only supported paste mechanism is Ctrl + V.


Click Next
Note: If you get an error message that says you have an invalid keystore file, you probably entered invalid passwords. Retry the password copy and paste. (This error message is misleading.)


In the "Complete panel", click Finish.
Stop the services for the "Symantec Embedded database" and the "Symantec Endpoint Protection Manager"
Go to:
\Program Files\Symantec Endpoint Protection Manager\

on the new "Symantec Endpoint Protection Manager" and remove the "Data folder."


Move the "old Data folder" under:
\Program Files\Symantec Endpoint Protection Manager\Data

from the old "Symantec Endpoint Protection Manager" install directory to the new "Symantec Endpoint Protection Manager" install directory.


Create a new folder named "db1" in:
\Program Files\Symantec Endpoint Protection Manager\


Move the "sem5.db" from the old "Symantec Endpoint Protection Manager" install directory.
Click Start>Run.
Type regedit
Navigate to:
HKey_Local_Machine\System\CurrentControlSet\services\ASANYs_sem5\Parameters


Open the value name Parameters and the original database:
\Program Files\Symantec Endpoint Protection Manager\db\sem5.db


Change it to:
\Program Files\Symantec Endpoint Protection Manager\db1\sem5.db


Move the "sem5.db" database:
\Program Files\Symantec Endpoint Protection Manager\db

from the old "Symantec Endpoint Protection Manager"  install directory to the new "Symantec Endpoint Protection Manager" install directory.


Go to Administrative Tools> Data Sources ODBC
Ensure the database connectivity after the changing the database file location to:
\Program Files\Symantec Endpoint Protection Manager\db1\sem5.db


Run the "Migration Server Configuration Wizard."
Click Yes to replace the database after entering the password
Login to the "Symantec Endpoint Protection Manager" using the old password.
Ensure that the Domain ID is same as it was on the old clients.
If it not, follow the direction in the below document to restore the Domain ID.  This will enable client communication http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007082112135948


All of the clients should begin reporting back within approximately 30 minutes.




Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Eduardo Menegalli Nazato's picture

Yeah, I knew that my server is lost, and that I have to rebuild it.
But it was not our fault, we DID follow Symantec documented steps.

For the love of God, it's the third time I lost my server. Two times because of the embedded database corruption, and now because of the growing Content folder and a solution that only make things worse. All the times I spent a lot of time on the phone talking to the very Symantec support staff, and they couldn't help me.

When will this torture end?
Why could Symantec Client Security be left alone and work perfectly, while SEP always behave like a baby, whom I have to monitor all the time to see if something did poop again?



Message Edited by Eduardo Nazato on 05-09-2008 09:51 AM

Raider1's picture

Ok Abhishek Pradhan I have done a complete reinstall of my main manegent server and followed your instructions, the clients are now just coming back up. If this fixes my update problem do I need to apply the same method to my replication sites? If so is there any additional steps i need to take?

Raider1's picture

It has been 24 hours sence the reinstall, new def have been downloaded to the management server, but the clients have still not updated. The only client that updates automaticlly is the client on the server. I have tried a reinstall on a client but it too is still not getting the updates from the management server. Anymore sugestions?

MarkF's picture
Hello,
 
I have got exactly the same problem:
content folder is growing (no WSUS installed), installed MR2.
Clients still not updating ! Removed old folders from content folder.
I can't even change the policy to manually update via liveupdate over the internet, instead of over the management server...
 
Is there some logging when/were clients want to update ?
 
regards,
Mark
Raider1's picture

Someone suggested that my database is corrupt and I need to do a fresh install without restoring the database. So I am going to backup my db, server key, and data folder. Then rebuild my entire SEPM, I will post if this fixes the problem. Funny thing is as many hours I spent working on this the company I work for could have just bought new anti-virus solution for less.




P.S. We wont be renewing our Symantec license



Message Edited by Raider1 on 05-14-2008 08:08 AM

doctortt's picture
Just curious - for those who lost your servers, can't you rebuild a new server and then just drop the new sylink.XML file to each PC, so it talks to the new server?
Eduardo Menegalli Nazato's picture

Yes, we can. But in anyway the original server is lost :smileyindifferent:

And how many more times will I have to rebuild my server?

Raider1's picture

I just got done rebuilding my SEPM from the ground up. The clients are now getting the updates and are connecting back to the SEPM. Unfortuinly I am only back to square one and my content folder is going to grow once again...



@ doctortt

No you dont have to drop the sylink.XML on every client. You just create a domain in the SEPM and change its ID to the ID your clients are trying to connect to. As explained in the "Best Practices for Disaster Recovery with Symantec Endpoint Protection"
 
This is what i did

Backup my DB (just in case but didnt use)
Saved Data folder (just in case but didnt use)
Saved the Key Store File
Looked up the domain ID and saved it to a txt file
Exported all my policies
Uninstalled SEPM, SEP (on server only), and Live update also deleted the Symantec folder (just in case)
Installed SEPM
Imported policies
Restored Key Store File
Created a group with the same name the clients were in (not needed just saved time moving clients)
Created a new Domain
changed the domain ID
Clients reconnected and grabbed latest updates...


Now i look forward to the content folder growing like a wild flower :)

Knottyropes's picture
My MR1 keep doing it but is stable now.
 
I am afraid to install MR2.
 
Maybe wait for MR3 before I try.
bcorp's picture
I updated to MR2 yesterday after seeing the mdefbuilder.exe process running at 100% and noticed today that the "End Point Security\Inetpub\content folder was 67G.  Since there were files dating back to Feb. I can't say if MR2 casued the content folder growth but it doesn't appear to clean it up either.  It sure looks to me like one of the problems is that not only is SEPM keeping a lot more than the last 10 copies of the Virus Definitions, it is also keeping a "Full" uncompressed copy, a zipped copy, and a .dax copy which is the same size as the zipped copy.  It appears after yesterdays MR2 update the .dax copies stopped happening but the Full and zipped copies are still there.   I checked and the "Full" uncompressed copy is identical to the zipped copy.  I can see that under the Site Properties\Live Update the "Store client packages unzipped ... " setting was checked so why would it then keep a zipped copy?  I have unchecked this to see if it will keep the zipped copy and do away with the "Full".  I have also changed the "Number of content revisions to keep:" count to 5 but that so far hasn't reduced the number of VD files.  I manually deleted all the numbered folders previous to this month so well see if we gain files over the next few days or reduce to the 5 copies the setting implies.  Since I deleted the pre May VD folders I can see that the mdef25builder.exe process is running again (actually two instances, I assume one for the 32 bit clients and one for the 64 bit) and seems to be rebuilding Delta packages from the earliest VD through today's most current.  Neither instance of mdef25builder is going much above 45% and together together they never went much above 67% so it appears MR2 at least broguht this process under some control.
anglojim's picture
The KB article and posts here by Abhishek Pradhan blithely state that the Inetpub\content problem is fixed with MR2.
 
It simply isn't.  I had done the semi-fix on ,my original SEPM (11.0) and have completed the upgrade to MR2.  There was no change  to the bloat (currently 10GB).  I have tried repeating the semi-fix post MR2 install and it makes no difference.
 
I've also tried setting the admin-servers-local site-properties-live update-"number of content revisions to keep".
 
None of this makes any difference to the ever growing content folders.
 
Furthermore, I used the Dbunload tool which worked it's way through the entire database (3GB - just 6 clients!!!) and after half an hour or so it completed successfully leaving me with a database exactly the same size.
 
FYI I'm running one SEPM on a 2003 Server with embedded database.
 
Eduardo Menegalli Nazato's picture

My problem is finally over!

After a lot of talk directly with Symantec managers, it was decided that an Engineer would come here to help us building a new SEPM MR2 server. Probably the old server (which was originally installed using SEPM 11.0.780 and then migrated to MR1 and MR2) is corrupted, and then a lot of problems raised.

It's been a week since the migration, and almost all clients are already communicating with the new server. Even the problem where clients communicate with wrong groups (here) seems to be resolved now.

I hope this new server will finally work well :smileyhappy:

Thanks for any help, or at least for any try to help.

Eduardo