Endpoint Protection

Had a Server Health report waiting on me this morning - no disk space on the D: drive. So I went looking for the culprit, and D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager is taking almost 38 GB of drive space. The Inetput directory takes over 31 GB, and the Content folder takes about 30 GB. Under the Content folder are 22 folders named with those gawd-awful GUID names. Some of those are only a few MBs, most are around 650 MB, but two are over 13 GB!

The ContentInfo.txt file shows those folders to be the Win32 and Win64 virus definitions folders. Those folders have 21 folders each, with each one of those being about 650MB. They show 21 versions of AV definitions, which is what best practice recommended when we installed the SEPM. Each folder is storing a zip file of the full definitions, a folder with the full definitions, and several xdelta definitions. If I reduce the number of definitions, will that automatically remove the older folders?

There is also a Client Packages folder under Inetpub that is over 1GB, with what seems to be the similar content. There are 5 folders, each about 300MB with zipped up and delta files. Opening the full.zip file, I see that those are yet another copy of the SEP installer packages. Do we really need that many copies of the SEP installer packages. They are all over the SEPM directory.

The data\inbox has a log folder with almost 2GB. Under there is a log folder with 1.9 GB of log files. Almost all of the folders under that have a lot of .ERR files, some of which date back to 2010. The packets and traffic folders are the biggest offenders with over 1 GB of files dating back to 2010. These are all text files with a bunch of GUID-looking entries and some computer information. A .ERR extension indicates error messages to me, can I safely delete those? At least delete the ones from 12/2011 and older?

The data\replication folder is almost 4GB, and I don't have replication turned on. I only have one SEPM server. Can I delete that data.zip file? It is dated 10/31/2011.

Disk Space Management procedures for the SEPM

http://www.symantec.com/business/support/index?page=content&id=TECH96214

hope this is helpful.

How many content revisions are you keeping?

If I reduce the number of definitions, will that automatically remove the older folders?

Yes. But keep in mind that reducing the number of content revisions may mean more full content downloads by the clients.

Do we really need that many copies of the SEP installer packages.

Yes, but you can disable the option "Store client packages unzipped" under Admin > Servers > Local Site > LiveUpdate > Disk Space Management. Then the client packages will only be saved as zipped. The unzipped folders will be removed immediately. However, after that clients cannot be upgraded with delta packages.

The packets and traffic folders are the biggest offenders with over 1 GB of files dating back to 2010. These are all text files with a bunch of GUID-looking entries and some computer information. A .ERR extension indicates error messages to me, can I safely delete those? At least delete the ones from 12/2011 and older?

I would stop the SEPM and delete them; they seem to be artefacts caused by temporary SEPM issues to write client logs into the database. See this thread:

https://www-secure.symantec.com/connect/forums/sepmdatainboxlog-many-err-files

Hi,

Work on this article to clear some disk space...

Issue Related to Low disk space.

Hello,

I agree with A.Wesker and Greg's Comment above.

I would suggest you to have a look at  -

Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper

http://www.symantec.com/docs/DOC4448

Hope that helps!!

You're keeping the equivalence of a full week of definitions which is good.

It's a "small" (I used quotes for the small lol ^^) inconvenience on the SEPM server because it uses a lot of disk space but on the other hand it's a great benefit for your managed SEP clients that might be offline for few days simply because the users do not use their machines and it permits the creation of smaller delta and then to keep under control the network bandwidth used when your clients are updating from your SEPM server.

At least with your current LU content kept on your SEPM server, a machine offline for 5 days for example, when this machine will be back online, it will still be able to retrieve definitions from the SEPM and not requesting a full (and heavy ^^) package of definitions.

If you have a data.zip file on the replication folder, it didn't create itself alone like that. It means at least a replication has been done on 10/31/2011 with another SEPM server and I highly suspect it was a migration of a SEPM Console from a server to this more recent server which is a good thing as it's clearly the easiest method to use and it's clearly less annoying than the Disaster Recovery method

If you confirm that last information regarding replication, then you can delete the data.zip populated on the replication folder without any worries as you're using only one SEPM after the unique and only one replication has been done for the server migration

Kind Regards,

A. Wesker

Connect needs a way to mark multiple replies as solutions...