Endpoint Protection

Immediately after running a routine set of database maintenance procedures, I noticed one of the SEPM servers had just lost 2 GB of space somehow. Never happened before.

Found that the largest file in C:\WINDOWS\system32\–ar   was much larger than I recall it being before, at 7 GB size. Yes, 7 GB.

C:\WINDOWS\system32\–ar  is a SEPM or SEP folder.

--> My question is how do the .DAT files in there relate to the embedded database, and how safe is it to delete them (or at least the largest one) ?

Our SEPMs are at version 11.0.6005  (RU6a)  and run on Win 2003 Std Ed SP2.  The size of the database file, sem5.db,  is 4 GB.  .  

Thanks

John

I dont think its related to sep/sepm...all the dat files are stored here

http://www.symantec.com/business/support/index?page=content&id=TECH91835&locale=en_US

Hello,

C:\WINDOWS\system32\–ar  is neither a SEPM or SEP folder.

Your question is how do the .DAT files in there relate to the embedded database, and how safe is it to delete them (or at least the largest one) ?

Answer: Check the following KB article:

What settings are stored in each of the .DAT files in the Symantec Endpoint Protection 11.x folder?

http://www.symantec.com/business/support/index?page=content&id=TECH102410&actp=search&viewlocale=en_US&searchid=1298531798651

Incase if the Dat files are Accumulating, I would say check the following KB article:

.dat files accumulating in the Inbox folder on SEPM

http://www.symantec.com/business/support/index?page=content&id=TECH95166&actp=search&viewlocale=en_US&searchid=1298531798651

Hope that answers your Question...

Cheers!!

Rafeeq ande Mithun, Thank you for the info, which is the kind of thing I like to know.

One of the reasons it is Symantec is that right under the C:\WINDOWS\system32\–ar  folder is another folder named {D689B418-235A-4290-A0A5-A75E490E0351}  that contains a set of SEP install files.

Then I searched some more in my own files and found exactly what SEP-related activity writes these .DAT files: it is the dbunload command, which is part of database maintenance. .

This is the dbunload command and some of its dialog window output which will illustrate:

C:\Program Files\Symantec\SEPM\ASA\win32>dbunload -c "uid=dba;pwd=xxxxxxxxx" -ar

Adaptive Server Anywhere Unload Utility Version 9.0.2.3654

Unloading "DBA"."BASIC_METADATA" into -ar\436.dat (relative to server)

Unloading "DBA"."SYSTEM_STATE" into -ar\437.dat (relative to server)

Unloading "DBA"."PROCESS_STATE" into -ar\438.dat (relative to server)

etc. etc.

Notice "into -ar"  and the filenames which look exactly like what I see in the -ar folder.  The files are some sort or work files for the dbunload command.

(I just realized that the dbunload dialog indicates gives a clue as to which table is the largest.)

Knowing this, I have decided to delete the files.  

Thank you

I deleted all of the .DAT files from C:\WINDOWS\system32\–ar  and recovered 7 GB.

I would like to see the dbunload documentation mention that dat files are created in  C:\WINDOWS\system32\–ar  , "which can sometimes grow quite large, and can be deleted."

Two nearly-identical Symantec docs on the dbunload command 

Document ID:2008022616103648
http://service1.symantec.com/SUPPORT/ent-security.nsf/815a8fe58decda8488257363002b62ab/64ab2040ab6d71a7882573fc0000f8a2?OpenDocument

and Article: TECH104278

http://www.symantec.com/business/support/index?page=content&id=TECH104278&locale=en_US

Thansk

John

Hello John,

thanks for sharing the information, learned something from u today, thank u .