Hi Mike,
you can try as below
The ttds.ead file has grown big because I accidentally created an EDM or IDM policy for my Endpoint. I do not want to process these messages, and the extra traffic is interfering with collecting the incidents that are gathered. How can I remove the messages that are being stored on the agent to be sent to the server?
The ttds.ead contains the messages that are waiting to be sent to the server for two-tier detection. If there is a problem with the two-tier detection, it is best to turn off the two-tier policies first. If the ttds.ead file is not reducing in size by itself, there may be a problem with getting the messages to the server.
To remove the messages from the agent's store do the following:
1. Stop the Endpoint Agent. This can be done either by using the agent tool service_shutdown.exe or by executing the following command:
cmd> sc stop edpa && sc stop wdp
2. Edit the ttds.ead file and delete the cache using vontu_sqlite3.exe, also available with the agent tools.
cmd>vontu_sqlite3 -db=ttds.ead -p=VontuStop
sqlite> delete from TwoTierCache;
sqlite> delete from TwoTierCacheFile;
sqlite> vacuum;
sqlite> .exit
3. Restart the Endpoint Agent
cmd>sc start edpa