Data Loss Prevention

 View Only

  • 1.  Too much Temp files at the Endpoint

    Posted Feb 04, 2013 10:44 AM

    Hello,

     

    A customer have DLP installed 11.5.

    They are using DLP Endpoint agents in almost all their machines.

    Some of thoses machines started crashing! We suspect that the RAM is getting full (they have 2Gb), the pc become slower and slower until it crashes.

    The folder "C:\temp" of the machines had several temp files (around 50.000 withjust 1Kb)  created by the DLP enpoint client.

    The solution they found was to manually delete the temp files, but aftes a time the folder is full agian.

    For some users this ciclo was too fast that they just uninstalled the DLP client.

     

    And now we need to solve this issue.

    Is it a configuration problem?

    There is some configuration variable that makes the agent store those temp files?

     

    ps: they have SEP installed too.



  • 2.  RE: Too much Temp files at the Endpoint

    Broadcom Employee
    Posted Feb 04, 2013 12:04 PM
    i believe it is because of SEP. What is the SEP version? what are the name of files? use the latest version of SEP client.


  • 3.  RE: Too much Temp files at the Endpoint

    Posted Feb 04, 2013 01:10 PM

    Customer has the SEPM and SEP agent version 11.0.7000.975

    The file at the "C:\temp" folder are for example "DLP1A0.tmp","DLP1A1.tmp"...

    it is DLP file!

     



  • 4.  RE: Too much Temp files at the Endpoint

    Posted Feb 06, 2013 04:19 AM

    Hi 

     

    We make a snapshot of any file that we are evaluating for removable storage.  That way, if the file is removed before we detect, we can still Monitor the file and create an incident, allowing us to be aware that the copy happened.  Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory. 
    The .snp (snapshot) files are the original copies of the files we scan. The file is then copied to a .vep (Vontu Endpoint) file, which is used in the detection process. 
    We keep the last 20 snp files so there should never be more than 20 files in this folder in v10. The .snp files should be removed if the edpa process is restarted. If there are more than 20 files or they are not removed after restarting the edpa process then contact technical support.


  • 5.  RE: Too much Temp files at the Endpoint

    Posted Feb 06, 2013 04:34 AM

    Hi ,

    Also refer below

    https://www-secure.symantec.com/connect/forums/why-dlp-agents-are-creating-huge-vep-files

     

    DLP agent makes a snapshot of any file that are evaluating for removable storage.  That way, if the file is removed before DLP agent detect, DLP agent can still Monitor the file and create an incident, allowing us to be aware that the copy happened.  Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory.

    The .snp (snapshot) files are the original copies of the files DLP agent scan. The file is then copied to a.vep (Vontu Endpoint) file, which is used in the detection process.



  • 6.  RE: Too much Temp files at the Endpoint

    Posted Feb 06, 2013 05:06 AM

    Hi,

     

    I have seen that topic, and I think it is NOT the same problem!

    The directory that is being compromised is the "C:\Temp" and the file are.tmp, really small just a few binary characteres inside.

     

    We will investigate more and bring more info about this case.

     

    Thanks



  • 7.  RE: Too much Temp files at the Endpoint

    Posted Apr 28, 2013 07:23 AM

    Hi Guil,

    Please refer below

    https://www-secure.symantec.com/connect/forums/symantec-dlp-endpoint-os-space-issue