Data Loss Prevention

Hi all, does anyone know exactly what this file caches? I have a computer where ttds.ead is 9GB's in size and would like to know is it possible this file can be deleted and what information is stored in it.

ttds.ead:

If two-tier detection is enabled, the messages for EDM/IDM that needs to be sent to the Enforce Server for processing are stored here.

I have had several computers lately that have had these files for ttds.ead and some are as large as 27GB and some as little as 50MB.

also at the same time edpa.exe is using 50+% fo the cpu. I am getting about 5-7 computers in my company with this issue. So far an uninstall of the agent client and a reinstall will fix it.

Has anyone else seen this issue with edpa.exe taking alot of cpu.

Yes, I have the same issue almost every day, my ttds.ead is 2GB big, and sometimes, the edpa takes 10% cpu usage and much more I/O, I cannot do other action when the process is busy.....

Hi Mike,

you can try as below

The ttds.ead file has grown big because I accidentally created an EDM or IDM policy for my Endpoint.  I do not want to process these messages, and the extra traffic is interfering with collecting the incidents that are gathered.  How can I remove the messages that are being stored on the agent to be sent to the server?

The ttds.ead contains the messages that are waiting to be sent to the server for two-tier detection.  If there is a problem with the two-tier detection, it is best to turn off the two-tier policies first.  If the ttds.ead file is not reducing in size by itself, there may be a problem with getting the messages to the server.

 To remove the messages from the agent's store do the following:

1. Stop the Endpoint Agent.  This can be done either by using the agent tool service_shutdown.exe or by executing the following command:

cmd> sc stop edpa && sc stop wdp

2. Edit the ttds.ead file and delete the cache using vontu_sqlite3.exe, also available with the agent tools.

cmd>vontu_sqlite3 -db=ttds.ead -p=VontuStop

 sqlite> delete from TwoTierCache;
sqlite> delete from TwoTierCacheFile;
sqlite> vacuum; 
sqlite> .exit

3. Restart the Endpoint Agent

cmd>sc start edpa

Thank you,kishorilal, could you show me where I can get the agent tool ?

Hi Angus,

I have attached the tools for your reference.  Extract them either using Winrar or 7 Zip.

Attachment(s)

Endpoint Tools.7z   409 KB 1 version

Thanks Syed for the help. My issues with the file seem to have calmed down after upgrading to version 11.5 agents.

After a lot of testing and asking around my company I kind of feel that we had some DNS issue around the same time my agents all went haywire and the ttds.ead file started to grow. What I think is that my agents were configured with a DNS name for our endpoint servers and when our DNS went haywire the agents that communicated to a partticular Endpoint server started collecting data and storing it in the ttds file and when DNS came back around the agents did not report the info the collected which caused the ttds file to grow even more. I have since pushed out the new 11.5 client with a configuration of an IP address instead of a DNS address. So far every thing is running fine.

On a side note I do not set the agents with a secondary server because in the past if the primary server went down and the agents moved to the back up server it worked fine. Now when the primary server came back up the agents stayed on the secondary server. I would like to see this changed with something like the agents trying to contact the primary server again.

Also, one issue I see when I pull logs on a few agents is,

03/20/2012 09:41:14 |  3824 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\315914869203713379.VEP

This warning shows up a lot on some of the agents. Is there a reason that some agents log file get flooded with this warning and others do not?

Thanks Syed sir,

For providing this tool for everyone . It will be helpful to all needy.

Thannks once again for sharing this.

Regards

Kishorilal

Hi Mike ,

R u still waiting for solution or resolved?As u know that ttds.ead file has grown big because it accidentally created an EDM or IDM policy for Endpoints. The ttds.ead contains the messages that are waiting to be sent to the server for two-tier detection. If this incresing so modify the policy and olsd files can be deleted through then oracle SQL qureries.You can use the tool taht syed has providede to u , and apply the sql quriees after the studying the risk and procedure.

Regards

Kishorilal

Hi all

       we can use this solution for 2 or 3 system, but if it is 100+ then it is not possible to go each and every system. I think this is bugs and symantec must provide hotfix or patch to resolve this issue.

Regards,

Amol Sahare

we cleared out the ttds problems by scripting the new version 11.5 to uninstall and make sure the agent folder is deleted in the program files directory and then perform a fresh install.

THis has worked for us.