Data Loss Prevention

Guys,

Few of the DLP agents in a DLP deployment generated huge .vep files without any relevant policy in place. There was only one policy which was configured for a very unique keyword but next day few users with DLP agents complained about huge .vep file size.

Can anyone explain this to me?

Regards.

DLP agent makes a snapshot of any file that are evaluating for removable storage.  That way, if the file is removed before DLP agent detect, DLP agent can still Monitor the file and create an incident, allowing us to be aware that the copy happened.  Before processing, the files are copied into an .snp files that are stored in the C:\Program Files\Manufacturer\Endpoint Agent\temp directory.

The .snp (snapshot) files are the original copies of the files DLP agent scan. The file is then copied to a .vep (Vontu Endpoint) file, which is used in the detection process.

So, can you try to reboot these few agents?

Thanks Yang for the response. Yes we rebooted few agents and found this issue goes away when rebooted. What is the reason for this? Please also suggest precaurtions if any to avoid this problem in future.

Hi Atif,

Yes agree with yang.,but you can also refer below details as

If you implement any of the above scenarios on your deployment, make sure that VEP file optimization is turned off. Go to System > Servers > Overview > Server Detail > Advanced Endpoint Settings and scroll down for FileSystem.ENABLE_VEP_FILE_ELIMINATION.int. The parameter should be set to 0.

By default, VEP file optimization is disabled.

VEP File Elimination should be disabled when:

* Two-Tier policies are used on the endpoint, OR
* Data Retention is enabled on the endpoint, OR
* Symantec Endpoint Encryption is used on the endpoint.

Otherwise, VEP File Elimination can be enabled.

Hi , 

i am using DLP version 15.8 and i have the same issue whereby my user outlook keep hang can the creating a huge .VEP file . I have check in the DLP Sytem->Server & detector-> Overview ->Server Details -Advanced settings .. i cannot find the "FileSystem.ENABLE_VEP_FILE_ELIMINATION.int" this line item .  Kindly advise what should i do next ? 

Hi @kenny tan, 

First, to add to the early comments from Yang, here is an article that notes these files and their usage:  The temporary files created by Endpoint Agent

Settings regarding .vep file creation are in the AGENT CONFIGURATION ADVANCED SETTINGS. 
Advanced agent Setttings
System > Agents > Agent Configuration* > Advanced Settings
You'll see the setting and its various configurations with definitions there. Most likely you'll want the default value of '3'.

You may have a different issue here with a specific policy (see comment by DLP kishorilal)

*Make sure to select the correct agent configuration for the agent in question there. 

Hi SethD, 

Noted , i have made the changes in the Agent Configuration and i have also set it "1" 

but the problem still persist , my user still having the Outlook hang due to the VEP file is huge which causes the DISK utilization spikes . 

Example below, 

can i disable the VEP creation or is there any other alternative solution like dont allow to create VEP file or dont scan the Outlook ? 

kindly advise. 

regards,

Thanks Kishorilal,

I have a confusion. Please correct me. By words "ENABLE_VEP_FILE_ELIMINATION.int" points to the action DLP takes to eminite .vep file to avoid disk space issue. If that is correct then it should be enabled. Please correct me if I am wrong.

Regards.

Yes, Atif its correct but please ensure all the required criteria and impact of the changes.