Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Too much Temp files at the Endpoint

Created: 04 Feb 2013 | 6 comments
Guilherme Toschi's picture

Hello,

A customer have DLP installed 11.5.

They are using DLP Endpoint agents in almost all their machines.

Some of thoses machines started crashing! We suspect that the RAM is getting full (they have 2Gb), the pc become slower and slower until it crashes.

The folder "C:\temp" of the machines had several temp files (around 50.000 withjust 1Kb)  created by the DLP enpoint client.

The solution they found was to manually delete the temp files, but aftes a time the folder is full agian.

For some users this ciclo was too fast that they just uninstalled the DLP client.

And now we need to solve this issue.

Is it a configuration problem?

There is some configuration variable that makes the agent store those temp files?

ps: they have SEP installed too.

Comments 6 CommentsJump to latest comment

pete_4u2002's picture

i believe it is because of SEP.
What is the SEP version?

what are the name of files?
use the latest version of SEP client.

Guilherme Toschi's picture

Customer has the SEPM and SEP agent version 11.0.7000.975

The file at the "C:\temp" folder are for example "DLP1A0.tmp","DLP1A1.tmp"...

it is DLP file!

kishorilal1986's picture

Hi 

We make a snapshot of any file that we are evaluating for removable storage.  That way, if the file is removed before we detect, we can still Monitor the file and create an incident, allowing us to be aware that the copy happened.  Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory. 
The .snp (snapshot) files are the original copies of the files we scan. The file is then copied to a .vep (Vontu Endpoint) file, which is used in the detection process. 
We keep the last 20 snp files so there should never be more than 20 files in this folder in v10. The .snp files should be removed if the edpa process is restarted. If there are more than 20 files or they are not removed after restarting the edpa process then contact technical support.
kishorilal1986's picture

Hi ,

Also refer below

https://www-secure.symantec.com/connect/forums/why...

DLP agent makes a snapshot of any file that are evaluating for removable storage.  That way, if the file is removed before DLP agent detect, DLP agent can still Monitor the file and create an incident, allowing us to be aware that the copy happened.  Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory.

The .snp (snapshot) files are the original copies of the files DLP agent scan. The file is then copied to a.vep (Vontu Endpoint) file, which is used in the detection process.

Guilherme Toschi's picture

Hi,

I have seen that topic, and I think it is NOT the same problem!

The directory that is being compromised is the "C:\Temp" and the file are.tmp, really small just a few binary characteres inside.

We will investigate more and bring more info about this case.

Thanks