Video Screencast Help
Search Video Help Close Back
to help

Too much Temp files at the Endpoint

Created: 04 Feb 2013 | 6 comments
Guilherme Toschi's picture
Guilherme Toschi Partner Accredited
0 0 Votes
Login to vote

Hello,

 

A customer have DLP installed 11.5.

They are using DLP Endpoint agents in almost all their machines.

Some of thoses machines started crashing! We suspect that the RAM is getting full (they have 2Gb), the pc become slower and slower until it crashes.

The folder "C:\temp" of the machines had several temp files (around 50.000 withjust 1Kb)  created by the DLP enpoint client.

The solution they found was to manually delete the temp files, but aftes a time the folder is full agian.

For some users this ciclo was too fast that they just uninstalled the DLP client.

 

And now we need to solve this issue.

Is it a configuration problem?

There is some configuration variable that makes the agent store those temp files?

 

ps: they have SEP installed too.

Discussion Filed Under:
, , , ,

Comments 6 CommentsJump to latest comment

pete_4u2002's picture
pete_4u2002 Symantec Employee
Too much Temp files at the Endpoint - Comment:04 Feb 2013 : Link

i believe it is because of SEP.
What is the SEP version?

what are the name of files?
use the latest version of SEP client.

Cheers!
Pete

Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619

0
Login to vote
Guilherme Toschi's picture
Guilherme Toschi Partner Accredited
Too much Temp files at the Endpoint - Comment:04 Feb 2013 : Link

Customer has the SEPM and SEP agent version 11.0.7000.975

The file at the "C:\temp" folder are for example "DLP1A0.tmp","DLP1A1.tmp"...

it is DLP file!

 

0
Login to vote
K S Sharma's picture
K S Sharma
Too much Temp files at the Endpoint - Comment:06 Feb 2013 : Link

Hi 

 

We make a snapshot of any file that we are evaluating for removable storage.  That way, if the file is removed before we detect, we can still Monitor the file and create an incident, allowing us to be aware that the copy happened.  Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory. 
The .snp (snapshot) files are the original copies of the files we scan. The file is then copied to a .vep (Vontu Endpoint) file, which is used in the detection process. 
We keep the last 20 snp files so there should never be more than 20 files in this folder in v10. The .snp files should be removed if the edpa process is restarted. If there are more than 20 files or they are not removed after restarting the edpa process then contact technical support.
0
Login to vote
K S Sharma's picture
K S Sharma
Too much Temp files at the Endpoint - Comment:06 Feb 2013 : Link

Hi ,

Also refer below

https://www-secure.symantec.com/connect/forums/why...

 

DLP agent makes a snapshot of any file that are evaluating for removable storage.  That way, if the file is removed before DLP agent detect, DLP agent can still Monitor the file and create an incident, allowing us to be aware that the copy happened.  Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory.

The .snp (snapshot) files are the original copies of the files DLP agent scan. The file is then copied to a.vep (Vontu Endpoint) file, which is used in the detection process.

0
Login to vote
Guilherme Toschi's picture
Guilherme Toschi Partner Accredited
Too much Temp files at the Endpoint - Comment:06 Feb 2013 : Link

Hi,

 

I have seen that topic, and I think it is NOT the same problem!

The directory that is being compromised is the "C:\Temp" and the file are.tmp, really small just a few binary characteres inside.

 

We will investigate more and bring more info about this case.

 

Thanks

0
Login to vote
K S Sharma's picture
K S Sharma Partner Accredited
Too much Temp files at the Endpoint - Comment:28 Apr 2013 : Link

Hi Guil,

Please refer below

https://www-secure.symantec.com/connect/forums/sym...

 

0
Login to vote